Solved

Hundreds of spam messages all of a sudden

Posted on 2009-07-09
36
965 Views
Last Modified: 2013-12-09
One user on the domain geetting hundreds of spam messages a day all of a sudden. The Exchange server is protected by Symantec Mail Security with Premium Anti-Spam (Cost me a fortune). I have gone over the PC with a fine tooth comb and found nothing suspicious going on in terms of viruses, spyware, etc. Not sure what to do next. Any ideas would be very welcome. Have included a sample.
______________________________________________ 
From:   System Administrator  
Sent:   09 July 2009 02:01 
To:     ssass124@hotmail.com 
Subject:        Undeliverable:Partnership. 
 
Your message did not reach some or all of the intended recipients. 
 
      Subject:  Partnership. 
      Sent:     09/07/2009 01:57 
 
The following recipient(s) could not be reached: 
 
      ssass124@hotmail.com on 09/07/2009 02:01 
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
 
            <SNT0-MC3-F4.Snt0.hotmail.com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (64168608:3309:-2147467259)>

Open in new window

0
Comment
Question by:Paulduberry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 20
  • 12
  • 2
  • +2
36 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24812010
It looks like a loop you are having with a message that needs to go the specified hotmail mailbox.. The mailbox does not exist, the sender receive a message that the mailbox does not exist and resends the message to get it there..

This really doesn't look like spam judging by the mail you've attached.. Are you in the ability to stop the MTA and restart it??This normally flushes the mail queue and hopefully the "bad" email (as said, it looks like a loophole in your e-mail)..
0
 

Author Comment

by:Paulduberry
ID: 24812076
Another sample. Slightly different this time. Could be spoofing?
From:   System Administrator  
Sent:   08 July 2009 15:31 
To:     zepernickc@cintas.com 
Subject:        Undeliverable:Long/Short Term Bridging Loans 
 
Your message did not reach some or all of the intended recipients. 
 
      Subject:  Long/Short Term Bridging Loans 
      Sent:     08/07/2009 15:21 
 
The following recipient(s) could not be reached: 
 
      zepernickc@cintas.com on 08/07/2009 15:31 
            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
 
            <c092ex04.cintas.com #5.1.1> 

Open in new window

0
 

Author Comment

by:Paulduberry
ID: 24812082
And another.
______________________________________________ 
From:   System Administrator  
Sent:   08 July 2009 22:31 
To:     ebardos@vkesztergom.hu 
Subject:        Undeliverable:Re: Your Euro Million Lotto Results 
 
Your message did not reach some or all of the intended recipients. 
 
      Subject:  Re: Your Euro Million Lotto Results 
      Sent:     08/07/2009 22:18 
 
The following recipient(s) could not be reached: 
 
      ebardos@vkesztergom.hu on 08/07/2009 22:31 
            The message could not be delivered because the recipient's mailbox is full. 
            <bors-mailstore-1 (ims-ms-daemon) #4.2.2> 

Open in new window

0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 65

Expert Comment

by:Mestha
ID: 24812115
That is just back scatter. Doesn't mean the machine is infected.
The spammer is using that user's email address as the From address. The sites reject the email and send it back to the "sender". Very common.

Not a massive amount you can do about it, because your server must accept the NDRs otherwise you will get blacklisted.

Simon.
0
 

Author Comment

by:Paulduberry
ID: 24812183
Can I stop the NDRs from getting to the user's Inbox?
0
 
LVL 13

Expert Comment

by:lastlostlast
ID: 24812255
You can make a rule in Outlook for NDR from coming in the Inbox directly. You can move it to some other folder where it can be later deleted.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24812281
NDRs are system messages. I don't think you will be able to create a rule on them because of their message format.

Simon.
0
 
LVL 8

Expert Comment

by:Timoros
ID: 24812287
I've seen many cases which the user submits his/her email to subscription services or various mailing lists and the Spammers begin their attacks to his/her mailbox!

Check also Symantec's settings-properties - raise the SCL ratting

I don't know the possibilities that Symantec Mail Security with Premium Anti-Spam has but you can check here :
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2007020615531854
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008031208452954
0
 

Author Comment

by:Paulduberry
ID: 24821474
This user had over 1000 undeliverables in the Inbox between 9 and 10 this morning. I have configured Symantec Mail Security according to the links Timoros provided and restarted the server. Before I give up and start to award points, can someone categorically state that this is something that we will always have to deal with for this particular email address and the only way out is by changing the email address?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24821751
My point of a accidental loophole still stands...
I've seen this behaviour and, imho, this doesnt't look like spam to me.. It looks like you've accidentally created a loop in your e-mail traffic.. After the restart, did he receive that much e-mails again?? .
0
 

Author Comment

by:Paulduberry
ID: 24821995
Yes. I restarted last night. There were over 1000 undeliverables waiting for the user this morning.
0
 

Author Comment

by:Paulduberry
ID: 24838332
Below is the actual header of a typical message. Maybe this will through a slighjtly different light on the problem. Could someone please look at it? I don't even recognise the return-path (ros2000@eircom.net) as our domain name is roscrea2000.com.
Microsoft Mail Internet Headers Version 2.0
Received: from mail pickup service by roscrea2000.com with Microsoft SMTPSVC; Mon, 13 Jul 2009 09:47:55 +0100
thread-index: AcoDlp1pehzjTH2vSpO0mC9cFSXUHg==
Cc: 
Bcc: 
Return-Path: 
Delivered-To: eircom.net-ros2000@eircom.net
Message-ID: <CD4743F095794DAF8DE66030ED892546@roscrea2k.local>
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
From: <postmaster@hotmail.com>
To: <ros2000@eircom.net>
Date: Mon, 13 Jul 2009 09:47:55 +0100
MIME-Version: 1.0
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Status: RO
X-UIDL: 1247451010.89485.mailscanned02.svc.cra.dublin.eircom.net,S=4621
Content-Type: multipart/report;
	report-type=delivery-status;
	boundary="9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col"
X-DSNContext: 335a7efd - 4480 - 00000001 - 80040546
Subject: Delivery Status Notification (Failure)
Content-Antispam: Probably not spam. 1.20 < 3.00 [as:1.20 cc:0.00 sa:1.20]
Content-Security: Checked by F-Prot AVES (http://aves.f-prot.com/)
X-Antivirus: Scanned by F-Prot Antivirus (http://www.f-prot.com/)
X-OriginalArrivalTime: 13 Jul 2009 02:07:34.0074 (UTC) FILETIME=[AF9001A0:01CA035E]
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset="unicode-1-1-utf-7"
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col
Content-Transfer-Encoding: 7bit
Content-Type: message/delivery-status
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col
Content-Transfer-Encoding: 7bit
Content-Type: message/rfc822
 
Received: from mail01.svc.cra.dublin.eircom.net ([159.134.118.17]) by col0-mc2-f40.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Sun, 12 Jul 2009 19:07:33 -0700
Received: (qmail 15291 messnum 5480333 invoked from network[86.43.60.104/webmail04.webmail.cra.eircom.net]); 13 Jul 2009 02:07:32 -0000
Received: from webmail04.webmail.cra.eircom.net (HELO webmailclassic.eircom.net) (86.43.60.104)
  by mail01.svc.cra.dublin.eircom.net (qp 15291) with SMTP; 13 Jul 2009 02:07:32 -0000
From: "Head of Finance Dept " <ros2000@eircom.net>
Reply-To: <hiro.tokyo-japan@hotmail.co.uk>
To:  
Subject: Partnership.
Date: Mon, 13 Jul 2009 03:07:32 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-Originating-IP: 148.233.229.235
X-Mailer: Eircom Net CRC Webmail (http://www.eircom.net/)
Organization: Eircom Net (http://www.eircom.net/)
Return-Path: ros2000@eircom.net
Message-ID: <COL0-MC2-F40qOdK6NI0069ed1d@col0-mc2-f40.Col0.hotmail.com>
X-OriginalArrivalTime: 13 Jul 2009 02:07:33.0546 (UTC) FILETIME=[AF3F70A0:01CA035E]
 
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col

Open in new window

0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838604
did you block relaying on your server???
0
 

Author Comment

by:Paulduberry
ID: 24838671
Unfortunately, I wouldn't be an expert on Exchange but if you could tell me where to check for this setting I'll let you know. Thanks.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838692
Hi, go to your Exchange system administrator, then server, then protocols and then go to SMTP.. Choose properties here and i thought that on the first tab (don;t have an exchange in front of me :)) there should be an option relay. Make sure that no machines are able te relay here.. Normally you don;t want any machines to relay, only in some cases where you have local machines that need to use your Exchange server to mail.
0
 

Author Comment

by:Paulduberry
ID: 24838747
Looks like it's relaying. See screenshot attached.
Relay.JPG
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838789
hmm.. depends.. This only means that your internal machines (all machines in the 10.x.x.x range) have permissions to send mail thorugh your Exchange server.
If there is one machine that has a virus or spyware, it can also cause this kind of behaviour.
You can remove these ip addresses (the 10.0.0.10 one) but do keep in mind that it might cause issues for users who are using your Exchange server for mailing stuff..
0
 

Author Comment

by:Paulduberry
ID: 24838835
Then I can't remove it.because all PCs in the domain use Exchange for mail.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24838864
No i didn;t mean that.. Users are able to connect to the Exchange server because they are using MAPI and Outlook to send e-mails.. What i mean is if you for example have some sort of web application and you would like to send e-mails using this webserver that it can use the Exchange server to e-mail without using any credentials, so anonymous..

You can delete the setting (keep it for future reference) and wait for users if they have issues.. Do you have any idea why someone enabled this setting?? With what purpose??
0
 

Author Comment

by:Paulduberry
ID: 24839385
No idea. It's always been like that. Just remove the checkmark or the other setting with allowed IPs or both?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24839517
Always use only the list below, make sure to add your own servers ip address (besides form the 127.0.0.1) to the list and always (yes please, always :)) check the tickbox for "Allow all computers which succesfully...blablabla". Otherwise, all your domain users would be unable to send e-mail.. This is waht they use to actually send the mails through your Exchange server...
0
 

Author Comment

by:Paulduberry
ID: 24839636
OK then. But that's how it is currently set. We haven't got our wires crossed, have we? The jpg that shows the current setting is how you say it should be set? In which case, we have advanced the issue not one step.
0
 
LVL 23

Accepted Solution

by:
rhandels earned 500 total points
ID: 24839788
Okay, sorry, it looks like we are talking about 2 different things..

The way it is set up not in normal English is that all machines that are able to contact your Exchange server and are within the 10.x.x.x range are able to send e-mail using your mail server, even if they are not authenticated or authorized to do so.

The way you want it to set up is to only let your own server (no idea what it's ip address is, let's say 10.0.0.10) and the localhost 127.0.0.1 be able to communicate with the server without the need to authenticate, thus meaning the first option should be 10.0.0.10 (without any mask at the end).

That said.. In a normal environment you will always have 1 or 2 machines that need to use your Exchange server for sending e-mail. Normally applications that have an e-mail fucntionality or webservers that need to mail to your costumers... You can add them to the list.

What is done here is in fact being the lazy admin (like we all are :)) and just adding the entire internal network to the relaying list.. The possible threat of this is that applications on workstations (that can even be non domain members, if private laptops get an ip address they can also do that) are able to send mail through your Exchange server creating a possible security hole..
0
 

Author Comment

by:Paulduberry
ID: 24840004
So the thing to try is to remove the entry with the mask ((10.0.0.10 (255.0.0.0)) and add the server's IP only which is 10.0.0.10?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24840047
Jup....


But as said!!!! Do keep in mind that there may be computers that use your Exchange server to send e-mails... If so, make sure to add those ip addresses to the list to.
How many workstations do you have in your network?? Cause i think you need to look at all machines to see if one of them is actually infected with some sort of software..
0
 

Author Comment

by:Paulduberry
ID: 24840651
About 30 PCs. Don't believe any other PC needs to use Exchange server to send emails. Can't imagine what kind of an ordeal it would be to test every PC in the building. They all have Symantec Client Security installed so I don't know.
0
 

Author Comment

by:Paulduberry
ID: 24840995
Does Jup mean Yes?
0
 

Author Comment

by:Paulduberry
ID: 24841280
Also, if I make the change in Exchange System Manager does the server need to be restarted?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24842108
Jup means yes :) :)
And to be honest i'm not quite sure if you need to restart the services.. A server restart isn;t necesary, you can restart the Exchange services. If you restart the Exchange System Attendant all other services will restart automatically, they are dependant of this service..
0
 

Author Comment

by:Paulduberry
ID: 24844293
Right. Stand by. I've made the change so we'll see if it makes any difference to all this spam that's coming into this particular email account over the next 24 hours or so.
0
 

Author Comment

by:Paulduberry
ID: 24847529
Just an update rhandels. No undeliverables this morning. Man, if you've fixed this I'll be forever in your debt. I'm going to wait until 5PM GMT until I can say for sure. Is that ok? Thanks.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24847564
Hey,

Sure it;s okay, i surely hope it is fixed now :) :) The only downside to this change is that you will need to check all your machines within your network that was actually responsible for the spam mails...
0
 

Author Comment

by:Paulduberry
ID: 24847899
Any suggestions as to what I could do here? This building is like a rabbit's warren. I don't even know if I am going to be able to find all the PCs let alone find some nasty bug on one. Are there any network tools that I can run from the server that you know of in order to narrow this down a bit? What's the down side in the event that I never actually find the offending beast?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24848107
pfff... Finding a tool that finds it is rather difficult if you don;t knwo what program or spyware or virus or wahtever is causing it..
If you have some sort of central virussolution than that is your best way to go.. Trying to find what machines are sending out is not the easiest thing. You could also try and use Microsoft MBSA (Microsoft Baseline Security Analizer) to check if machines are conformed to company policy.

If you have machines there that are not on your domain and you don't have options for blocking them of getting an ip address your practically screwed..

If you'r unable to find the machine it might be a risk that this machine will infect your entire network or cloag up your network traffic.. Tbh these are worst case scenarios..
0
 

Author Comment

by:Paulduberry
ID: 24848172
All righty then.
0
 

Author Closing Comment

by:Paulduberry
ID: 31601501
I really appreciate your help with this problem. It looks like the problem is now sorted albeit I have to find the original offender but I'm happy. Thanks again. I had almost given up hope with this one.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question