Solved

Hundreds of spam messages all of a sudden

Posted on 2009-07-09
36
953 Views
Last Modified: 2013-12-09
One user on the domain geetting hundreds of spam messages a day all of a sudden. The Exchange server is protected by Symantec Mail Security with Premium Anti-Spam (Cost me a fortune). I have gone over the PC with a fine tooth comb and found nothing suspicious going on in terms of viruses, spyware, etc. Not sure what to do next. Any ideas would be very welcome. Have included a sample.
______________________________________________ 

From:   System Administrator  

Sent:   09 July 2009 02:01 

To:     ssass124@hotmail.com 

Subject:        Undeliverable:Partnership. 

 

Your message did not reach some or all of the intended recipients. 

 

      Subject:  Partnership. 

      Sent:     09/07/2009 01:57 

 

The following recipient(s) could not be reached: 

 

      ssass124@hotmail.com on 09/07/2009 02:01 

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

 

            <SNT0-MC3-F4.Snt0.hotmail.com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (64168608:3309:-2147467259)>

Open in new window

0
Comment
Question by:Paulduberry
  • 20
  • 12
  • 2
  • +2
36 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24812010
It looks like a loop you are having with a message that needs to go the specified hotmail mailbox.. The mailbox does not exist, the sender receive a message that the mailbox does not exist and resends the message to get it there..

This really doesn't look like spam judging by the mail you've attached.. Are you in the ability to stop the MTA and restart it??This normally flushes the mail queue and hopefully the "bad" email (as said, it looks like a loophole in your e-mail)..
0
 

Author Comment

by:Paulduberry
ID: 24812076
Another sample. Slightly different this time. Could be spoofing?
From:   System Administrator  

Sent:   08 July 2009 15:31 

To:     zepernickc@cintas.com 

Subject:        Undeliverable:Long/Short Term Bridging Loans 
 

Your message did not reach some or all of the intended recipients. 
 

      Subject:  Long/Short Term Bridging Loans 

      Sent:     08/07/2009 15:21 
 

The following recipient(s) could not be reached: 
 

      zepernickc@cintas.com on 08/07/2009 15:31 

            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
 

            <c092ex04.cintas.com #5.1.1> 

Open in new window

0
 

Author Comment

by:Paulduberry
ID: 24812082
And another.
______________________________________________ 

From:   System Administrator  

Sent:   08 July 2009 22:31 

To:     ebardos@vkesztergom.hu 

Subject:        Undeliverable:Re: Your Euro Million Lotto Results 
 

Your message did not reach some or all of the intended recipients. 
 

      Subject:  Re: Your Euro Million Lotto Results 

      Sent:     08/07/2009 22:18 
 

The following recipient(s) could not be reached: 
 

      ebardos@vkesztergom.hu on 08/07/2009 22:31 

            The message could not be delivered because the recipient's mailbox is full. 

            <bors-mailstore-1 (ims-ms-daemon) #4.2.2> 

Open in new window

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24812115
That is just back scatter. Doesn't mean the machine is infected.
The spammer is using that user's email address as the From address. The sites reject the email and send it back to the "sender". Very common.

Not a massive amount you can do about it, because your server must accept the NDRs otherwise you will get blacklisted.

Simon.
0
 

Author Comment

by:Paulduberry
ID: 24812183
Can I stop the NDRs from getting to the user's Inbox?
0
 
LVL 13

Expert Comment

by:lastlostlast
ID: 24812255
You can make a rule in Outlook for NDR from coming in the Inbox directly. You can move it to some other folder where it can be later deleted.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24812281
NDRs are system messages. I don't think you will be able to create a rule on them because of their message format.

Simon.
0
 
LVL 8

Expert Comment

by:Timoros
ID: 24812287
I've seen many cases which the user submits his/her email to subscription services or various mailing lists and the Spammers begin their attacks to his/her mailbox!

Check also Symantec's settings-properties - raise the SCL ratting

I don't know the possibilities that Symantec Mail Security with Premium Anti-Spam has but you can check here :
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2007020615531854
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008031208452954
0
 

Author Comment

by:Paulduberry
ID: 24821474
This user had over 1000 undeliverables in the Inbox between 9 and 10 this morning. I have configured Symantec Mail Security according to the links Timoros provided and restarted the server. Before I give up and start to award points, can someone categorically state that this is something that we will always have to deal with for this particular email address and the only way out is by changing the email address?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24821751
My point of a accidental loophole still stands...
I've seen this behaviour and, imho, this doesnt't look like spam to me.. It looks like you've accidentally created a loop in your e-mail traffic.. After the restart, did he receive that much e-mails again?? .
0
 

Author Comment

by:Paulduberry
ID: 24821995
Yes. I restarted last night. There were over 1000 undeliverables waiting for the user this morning.
0
 

Author Comment

by:Paulduberry
ID: 24838332
Below is the actual header of a typical message. Maybe this will through a slighjtly different light on the problem. Could someone please look at it? I don't even recognise the return-path (ros2000@eircom.net) as our domain name is roscrea2000.com.
Microsoft Mail Internet Headers Version 2.0

Received: from mail pickup service by roscrea2000.com with Microsoft SMTPSVC; Mon, 13 Jul 2009 09:47:55 +0100

thread-index: AcoDlp1pehzjTH2vSpO0mC9cFSXUHg==

Cc: 

Bcc: 

Return-Path: 

Delivered-To: eircom.net-ros2000@eircom.net

Message-ID: <CD4743F095794DAF8DE66030ED892546@roscrea2k.local>

Content-Transfer-Encoding: 7bit

X-Mailer: Microsoft CDO for Exchange 2000

From: <postmaster@hotmail.com>

To: <ros2000@eircom.net>

Date: Mon, 13 Jul 2009 09:47:55 +0100

MIME-Version: 1.0

Content-Class: urn:content-classes:message

Importance: normal

Priority: normal

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325

Status: RO

X-UIDL: 1247451010.89485.mailscanned02.svc.cra.dublin.eircom.net,S=4621

Content-Type: multipart/report;

	report-type=delivery-status;

	boundary="9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col"

X-DSNContext: 335a7efd - 4480 - 00000001 - 80040546

Subject: Delivery Status Notification (Failure)

Content-Antispam: Probably not spam. 1.20 < 3.00 [as:1.20 cc:0.00 sa:1.20]

Content-Security: Checked by F-Prot AVES (http://aves.f-prot.com/)

X-Antivirus: Scanned by F-Prot Antivirus (http://www.f-prot.com/)

X-OriginalArrivalTime: 13 Jul 2009 02:07:34.0074 (UTC) FILETIME=[AF9001A0:01CA035E]
 

--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col

Content-Transfer-Encoding: 7bit

Content-Type: text/plain;

	charset="unicode-1-1-utf-7"
 

--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col

Content-Transfer-Encoding: 7bit

Content-Type: message/delivery-status
 

--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col

Content-Transfer-Encoding: 7bit

Content-Type: message/rfc822
 

Received: from mail01.svc.cra.dublin.eircom.net ([159.134.118.17]) by col0-mc2-f40.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);

	 Sun, 12 Jul 2009 19:07:33 -0700

Received: (qmail 15291 messnum 5480333 invoked from network[86.43.60.104/webmail04.webmail.cra.eircom.net]); 13 Jul 2009 02:07:32 -0000

Received: from webmail04.webmail.cra.eircom.net (HELO webmailclassic.eircom.net) (86.43.60.104)

  by mail01.svc.cra.dublin.eircom.net (qp 15291) with SMTP; 13 Jul 2009 02:07:32 -0000

From: "Head of Finance Dept " <ros2000@eircom.net>

Reply-To: <hiro.tokyo-japan@hotmail.co.uk>

To:  

Subject: Partnership.

Date: Mon, 13 Jul 2009 03:07:32 +0100

Mime-Version: 1.0

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 8bit

X-Originating-IP: 148.233.229.235

X-Mailer: Eircom Net CRC Webmail (http://www.eircom.net/)

Organization: Eircom Net (http://www.eircom.net/)

Return-Path: ros2000@eircom.net

Message-ID: <COL0-MC2-F40qOdK6NI0069ed1d@col0-mc2-f40.Col0.hotmail.com>

X-OriginalArrivalTime: 13 Jul 2009 02:07:33.0546 (UTC) FILETIME=[AF3F70A0:01CA035E]
 
 

--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col

Open in new window

0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838604
did you block relaying on your server???
0
 

Author Comment

by:Paulduberry
ID: 24838671
Unfortunately, I wouldn't be an expert on Exchange but if you could tell me where to check for this setting I'll let you know. Thanks.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838692
Hi, go to your Exchange system administrator, then server, then protocols and then go to SMTP.. Choose properties here and i thought that on the first tab (don;t have an exchange in front of me :)) there should be an option relay. Make sure that no machines are able te relay here.. Normally you don;t want any machines to relay, only in some cases where you have local machines that need to use your Exchange server to mail.
0
 

Author Comment

by:Paulduberry
ID: 24838747
Looks like it's relaying. See screenshot attached.
Relay.JPG
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838789
hmm.. depends.. This only means that your internal machines (all machines in the 10.x.x.x range) have permissions to send mail thorugh your Exchange server.
If there is one machine that has a virus or spyware, it can also cause this kind of behaviour.
You can remove these ip addresses (the 10.0.0.10 one) but do keep in mind that it might cause issues for users who are using your Exchange server for mailing stuff..
0
 

Author Comment

by:Paulduberry
ID: 24838835
Then I can't remove it.because all PCs in the domain use Exchange for mail.
0
Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 23

Expert Comment

by:rhandels
ID: 24838864
No i didn;t mean that.. Users are able to connect to the Exchange server because they are using MAPI and Outlook to send e-mails.. What i mean is if you for example have some sort of web application and you would like to send e-mails using this webserver that it can use the Exchange server to e-mail without using any credentials, so anonymous..

You can delete the setting (keep it for future reference) and wait for users if they have issues.. Do you have any idea why someone enabled this setting?? With what purpose??
0
 

Author Comment

by:Paulduberry
ID: 24839385
No idea. It's always been like that. Just remove the checkmark or the other setting with allowed IPs or both?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24839517
Always use only the list below, make sure to add your own servers ip address (besides form the 127.0.0.1) to the list and always (yes please, always :)) check the tickbox for "Allow all computers which succesfully...blablabla". Otherwise, all your domain users would be unable to send e-mail.. This is waht they use to actually send the mails through your Exchange server...
0
 

Author Comment

by:Paulduberry
ID: 24839636
OK then. But that's how it is currently set. We haven't got our wires crossed, have we? The jpg that shows the current setting is how you say it should be set? In which case, we have advanced the issue not one step.
0
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24839788
Okay, sorry, it looks like we are talking about 2 different things..

The way it is set up not in normal English is that all machines that are able to contact your Exchange server and are within the 10.x.x.x range are able to send e-mail using your mail server, even if they are not authenticated or authorized to do so.

The way you want it to set up is to only let your own server (no idea what it's ip address is, let's say 10.0.0.10) and the localhost 127.0.0.1 be able to communicate with the server without the need to authenticate, thus meaning the first option should be 10.0.0.10 (without any mask at the end).

That said.. In a normal environment you will always have 1 or 2 machines that need to use your Exchange server for sending e-mail. Normally applications that have an e-mail fucntionality or webservers that need to mail to your costumers... You can add them to the list.

What is done here is in fact being the lazy admin (like we all are :)) and just adding the entire internal network to the relaying list.. The possible threat of this is that applications on workstations (that can even be non domain members, if private laptops get an ip address they can also do that) are able to send mail through your Exchange server creating a possible security hole..
0
 

Author Comment

by:Paulduberry
ID: 24840004
So the thing to try is to remove the entry with the mask ((10.0.0.10 (255.0.0.0)) and add the server's IP only which is 10.0.0.10?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24840047
Jup....


But as said!!!! Do keep in mind that there may be computers that use your Exchange server to send e-mails... If so, make sure to add those ip addresses to the list to.
How many workstations do you have in your network?? Cause i think you need to look at all machines to see if one of them is actually infected with some sort of software..
0
 

Author Comment

by:Paulduberry
ID: 24840651
About 30 PCs. Don't believe any other PC needs to use Exchange server to send emails. Can't imagine what kind of an ordeal it would be to test every PC in the building. They all have Symantec Client Security installed so I don't know.
0
 

Author Comment

by:Paulduberry
ID: 24840995
Does Jup mean Yes?
0
 

Author Comment

by:Paulduberry
ID: 24841280
Also, if I make the change in Exchange System Manager does the server need to be restarted?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24842108
Jup means yes :) :)
And to be honest i'm not quite sure if you need to restart the services.. A server restart isn;t necesary, you can restart the Exchange services. If you restart the Exchange System Attendant all other services will restart automatically, they are dependant of this service..
0
 

Author Comment

by:Paulduberry
ID: 24844293
Right. Stand by. I've made the change so we'll see if it makes any difference to all this spam that's coming into this particular email account over the next 24 hours or so.
0
 

Author Comment

by:Paulduberry
ID: 24847529
Just an update rhandels. No undeliverables this morning. Man, if you've fixed this I'll be forever in your debt. I'm going to wait until 5PM GMT until I can say for sure. Is that ok? Thanks.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24847564
Hey,

Sure it;s okay, i surely hope it is fixed now :) :) The only downside to this change is that you will need to check all your machines within your network that was actually responsible for the spam mails...
0
 

Author Comment

by:Paulduberry
ID: 24847899
Any suggestions as to what I could do here? This building is like a rabbit's warren. I don't even know if I am going to be able to find all the PCs let alone find some nasty bug on one. Are there any network tools that I can run from the server that you know of in order to narrow this down a bit? What's the down side in the event that I never actually find the offending beast?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24848107
pfff... Finding a tool that finds it is rather difficult if you don;t knwo what program or spyware or virus or wahtever is causing it..
If you have some sort of central virussolution than that is your best way to go.. Trying to find what machines are sending out is not the easiest thing. You could also try and use Microsoft MBSA (Microsoft Baseline Security Analizer) to check if machines are conformed to company policy.

If you have machines there that are not on your domain and you don't have options for blocking them of getting an ip address your practically screwed..

If you'r unable to find the machine it might be a risk that this machine will infect your entire network or cloag up your network traffic.. Tbh these are worst case scenarios..
0
 

Author Comment

by:Paulduberry
ID: 24848172
All righty then.
0
 

Author Closing Comment

by:Paulduberry
ID: 31601501
I really appreciate your help with this problem. It looks like the problem is now sorted albeit I have to find the original offender but I'm happy. Thanks again. I had almost given up hope with this one.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now