Hundreds of spam messages all of a sudden

One user on the domain geetting hundreds of spam messages a day all of a sudden. The Exchange server is protected by Symantec Mail Security with Premium Anti-Spam (Cost me a fortune). I have gone over the PC with a fine tooth comb and found nothing suspicious going on in terms of viruses, spyware, etc. Not sure what to do next. Any ideas would be very welcome. Have included a sample.
______________________________________________ 
From:   System Administrator  
Sent:   09 July 2009 02:01 
To:     ssass124@hotmail.com 
Subject:        Undeliverable:Partnership. 
 
Your message did not reach some or all of the intended recipients. 
 
      Subject:  Partnership. 
      Sent:     09/07/2009 01:57 
 
The following recipient(s) could not be reached: 
 
      ssass124@hotmail.com on 09/07/2009 02:01 
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
 
            <SNT0-MC3-F4.Snt0.hotmail.com #5.5.0 smtp;550 Requested action not taken: mailbox unavailable (64168608:3309:-2147467259)>

Open in new window

PaulduberryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rhandelsCommented:
It looks like a loop you are having with a message that needs to go the specified hotmail mailbox.. The mailbox does not exist, the sender receive a message that the mailbox does not exist and resends the message to get it there..

This really doesn't look like spam judging by the mail you've attached.. Are you in the ability to stop the MTA and restart it??This normally flushes the mail queue and hopefully the "bad" email (as said, it looks like a loophole in your e-mail)..
0
PaulduberryAuthor Commented:
Another sample. Slightly different this time. Could be spoofing?
From:   System Administrator  
Sent:   08 July 2009 15:31 
To:     zepernickc@cintas.com 
Subject:        Undeliverable:Long/Short Term Bridging Loans 
 
Your message did not reach some or all of the intended recipients. 
 
      Subject:  Long/Short Term Bridging Loans 
      Sent:     08/07/2009 15:21 
 
The following recipient(s) could not be reached: 
 
      zepernickc@cintas.com on 08/07/2009 15:31 
            The e-mail account does not exist at the organization this message was sent to.  Check the e-mail address, or contact the recipient directly to find out the correct address.
 
            <c092ex04.cintas.com #5.1.1> 

Open in new window

0
PaulduberryAuthor Commented:
And another.
______________________________________________ 
From:   System Administrator  
Sent:   08 July 2009 22:31 
To:     ebardos@vkesztergom.hu 
Subject:        Undeliverable:Re: Your Euro Million Lotto Results 
 
Your message did not reach some or all of the intended recipients. 
 
      Subject:  Re: Your Euro Million Lotto Results 
      Sent:     08/07/2009 22:18 
 
The following recipient(s) could not be reached: 
 
      ebardos@vkesztergom.hu on 08/07/2009 22:31 
            The message could not be delivered because the recipient's mailbox is full. 
            <bors-mailstore-1 (ims-ms-daemon) #4.2.2> 

Open in new window

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

MesthaCommented:
That is just back scatter. Doesn't mean the machine is infected.
The spammer is using that user's email address as the From address. The sites reject the email and send it back to the "sender". Very common.

Not a massive amount you can do about it, because your server must accept the NDRs otherwise you will get blacklisted.

Simon.
0
PaulduberryAuthor Commented:
Can I stop the NDRs from getting to the user's Inbox?
0
lastlostlastCommented:
You can make a rule in Outlook for NDR from coming in the Inbox directly. You can move it to some other folder where it can be later deleted.
0
MesthaCommented:
NDRs are system messages. I don't think you will be able to create a rule on them because of their message format.

Simon.
0
TimorosCommented:
I've seen many cases which the user submits his/her email to subscription services or various mailing lists and the Spammers begin their attacks to his/her mailbox!

Check also Symantec's settings-properties - raise the SCL ratting

I don't know the possibilities that Symantec Mail Security with Premium Anti-Spam has but you can check here :
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2007020615531854
http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2008031208452954
0
PaulduberryAuthor Commented:
This user had over 1000 undeliverables in the Inbox between 9 and 10 this morning. I have configured Symantec Mail Security according to the links Timoros provided and restarted the server. Before I give up and start to award points, can someone categorically state that this is something that we will always have to deal with for this particular email address and the only way out is by changing the email address?
0
rhandelsCommented:
My point of a accidental loophole still stands...
I've seen this behaviour and, imho, this doesnt't look like spam to me.. It looks like you've accidentally created a loop in your e-mail traffic.. After the restart, did he receive that much e-mails again?? .
0
PaulduberryAuthor Commented:
Yes. I restarted last night. There were over 1000 undeliverables waiting for the user this morning.
0
PaulduberryAuthor Commented:
Below is the actual header of a typical message. Maybe this will through a slighjtly different light on the problem. Could someone please look at it? I don't even recognise the return-path (ros2000@eircom.net) as our domain name is roscrea2000.com.
Microsoft Mail Internet Headers Version 2.0
Received: from mail pickup service by roscrea2000.com with Microsoft SMTPSVC; Mon, 13 Jul 2009 09:47:55 +0100
thread-index: AcoDlp1pehzjTH2vSpO0mC9cFSXUHg==
Cc: 
Bcc: 
Return-Path: 
Delivered-To: eircom.net-ros2000@eircom.net
Message-ID: <CD4743F095794DAF8DE66030ED892546@roscrea2k.local>
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Exchange 2000
From: <postmaster@hotmail.com>
To: <ros2000@eircom.net>
Date: Mon, 13 Jul 2009 09:47:55 +0100
MIME-Version: 1.0
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325
Status: RO
X-UIDL: 1247451010.89485.mailscanned02.svc.cra.dublin.eircom.net,S=4621
Content-Type: multipart/report;
	report-type=delivery-status;
	boundary="9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col"
X-DSNContext: 335a7efd - 4480 - 00000001 - 80040546
Subject: Delivery Status Notification (Failure)
Content-Antispam: Probably not spam. 1.20 < 3.00 [as:1.20 cc:0.00 sa:1.20]
Content-Security: Checked by F-Prot AVES (http://aves.f-prot.com/)
X-Antivirus: Scanned by F-Prot Antivirus (http://www.f-prot.com/)
X-OriginalArrivalTime: 13 Jul 2009 02:07:34.0074 (UTC) FILETIME=[AF9001A0:01CA035E]
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset="unicode-1-1-utf-7"
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col
Content-Transfer-Encoding: 7bit
Content-Type: message/delivery-status
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col
Content-Transfer-Encoding: 7bit
Content-Type: message/rfc822
 
Received: from mail01.svc.cra.dublin.eircom.net ([159.134.118.17]) by col0-mc2-f40.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Sun, 12 Jul 2009 19:07:33 -0700
Received: (qmail 15291 messnum 5480333 invoked from network[86.43.60.104/webmail04.webmail.cra.eircom.net]); 13 Jul 2009 02:07:32 -0000
Received: from webmail04.webmail.cra.eircom.net (HELO webmailclassic.eircom.net) (86.43.60.104)
  by mail01.svc.cra.dublin.eircom.net (qp 15291) with SMTP; 13 Jul 2009 02:07:32 -0000
From: "Head of Finance Dept " <ros2000@eircom.net>
Reply-To: <hiro.tokyo-japan@hotmail.co.uk>
To:  
Subject: Partnership.
Date: Mon, 13 Jul 2009 03:07:32 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
X-Originating-IP: 148.233.229.235
X-Mailer: Eircom Net CRC Webmail (http://www.eircom.net/)
Organization: Eircom Net (http://www.eircom.net/)
Return-Path: ros2000@eircom.net
Message-ID: <COL0-MC2-F40qOdK6NI0069ed1d@col0-mc2-f40.Col0.hotmail.com>
X-OriginalArrivalTime: 13 Jul 2009 02:07:33.0546 (UTC) FILETIME=[AF3F70A0:01CA035E]
 
 
--9B095B5ADSN=_01C9F9FB0B2DF947001E7535col0?mc2?f40.Col

Open in new window

0
rhandelsCommented:
did you block relaying on your server???
0
PaulduberryAuthor Commented:
Unfortunately, I wouldn't be an expert on Exchange but if you could tell me where to check for this setting I'll let you know. Thanks.
0
rhandelsCommented:
Hi, go to your Exchange system administrator, then server, then protocols and then go to SMTP.. Choose properties here and i thought that on the first tab (don;t have an exchange in front of me :)) there should be an option relay. Make sure that no machines are able te relay here.. Normally you don;t want any machines to relay, only in some cases where you have local machines that need to use your Exchange server to mail.
0
PaulduberryAuthor Commented:
Looks like it's relaying. See screenshot attached.
Relay.JPG
0
rhandelsCommented:
hmm.. depends.. This only means that your internal machines (all machines in the 10.x.x.x range) have permissions to send mail thorugh your Exchange server.
If there is one machine that has a virus or spyware, it can also cause this kind of behaviour.
You can remove these ip addresses (the 10.0.0.10 one) but do keep in mind that it might cause issues for users who are using your Exchange server for mailing stuff..
0
PaulduberryAuthor Commented:
Then I can't remove it.because all PCs in the domain use Exchange for mail.
0
rhandelsCommented:
No i didn;t mean that.. Users are able to connect to the Exchange server because they are using MAPI and Outlook to send e-mails.. What i mean is if you for example have some sort of web application and you would like to send e-mails using this webserver that it can use the Exchange server to e-mail without using any credentials, so anonymous..

You can delete the setting (keep it for future reference) and wait for users if they have issues.. Do you have any idea why someone enabled this setting?? With what purpose??
0
PaulduberryAuthor Commented:
No idea. It's always been like that. Just remove the checkmark or the other setting with allowed IPs or both?
0
rhandelsCommented:
Always use only the list below, make sure to add your own servers ip address (besides form the 127.0.0.1) to the list and always (yes please, always :)) check the tickbox for "Allow all computers which succesfully...blablabla". Otherwise, all your domain users would be unable to send e-mail.. This is waht they use to actually send the mails through your Exchange server...
0
PaulduberryAuthor Commented:
OK then. But that's how it is currently set. We haven't got our wires crossed, have we? The jpg that shows the current setting is how you say it should be set? In which case, we have advanced the issue not one step.
0
rhandelsCommented:
Okay, sorry, it looks like we are talking about 2 different things..

The way it is set up not in normal English is that all machines that are able to contact your Exchange server and are within the 10.x.x.x range are able to send e-mail using your mail server, even if they are not authenticated or authorized to do so.

The way you want it to set up is to only let your own server (no idea what it's ip address is, let's say 10.0.0.10) and the localhost 127.0.0.1 be able to communicate with the server without the need to authenticate, thus meaning the first option should be 10.0.0.10 (without any mask at the end).

That said.. In a normal environment you will always have 1 or 2 machines that need to use your Exchange server for sending e-mail. Normally applications that have an e-mail fucntionality or webservers that need to mail to your costumers... You can add them to the list.

What is done here is in fact being the lazy admin (like we all are :)) and just adding the entire internal network to the relaying list.. The possible threat of this is that applications on workstations (that can even be non domain members, if private laptops get an ip address they can also do that) are able to send mail through your Exchange server creating a possible security hole..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PaulduberryAuthor Commented:
So the thing to try is to remove the entry with the mask ((10.0.0.10 (255.0.0.0)) and add the server's IP only which is 10.0.0.10?
0
rhandelsCommented:
Jup....


But as said!!!! Do keep in mind that there may be computers that use your Exchange server to send e-mails... If so, make sure to add those ip addresses to the list to.
How many workstations do you have in your network?? Cause i think you need to look at all machines to see if one of them is actually infected with some sort of software..
0
PaulduberryAuthor Commented:
About 30 PCs. Don't believe any other PC needs to use Exchange server to send emails. Can't imagine what kind of an ordeal it would be to test every PC in the building. They all have Symantec Client Security installed so I don't know.
0
PaulduberryAuthor Commented:
Does Jup mean Yes?
0
PaulduberryAuthor Commented:
Also, if I make the change in Exchange System Manager does the server need to be restarted?
0
rhandelsCommented:
Jup means yes :) :)
And to be honest i'm not quite sure if you need to restart the services.. A server restart isn;t necesary, you can restart the Exchange services. If you restart the Exchange System Attendant all other services will restart automatically, they are dependant of this service..
0
PaulduberryAuthor Commented:
Right. Stand by. I've made the change so we'll see if it makes any difference to all this spam that's coming into this particular email account over the next 24 hours or so.
0
PaulduberryAuthor Commented:
Just an update rhandels. No undeliverables this morning. Man, if you've fixed this I'll be forever in your debt. I'm going to wait until 5PM GMT until I can say for sure. Is that ok? Thanks.
0
rhandelsCommented:
Hey,

Sure it;s okay, i surely hope it is fixed now :) :) The only downside to this change is that you will need to check all your machines within your network that was actually responsible for the spam mails...
0
PaulduberryAuthor Commented:
Any suggestions as to what I could do here? This building is like a rabbit's warren. I don't even know if I am going to be able to find all the PCs let alone find some nasty bug on one. Are there any network tools that I can run from the server that you know of in order to narrow this down a bit? What's the down side in the event that I never actually find the offending beast?
0
rhandelsCommented:
pfff... Finding a tool that finds it is rather difficult if you don;t knwo what program or spyware or virus or wahtever is causing it..
If you have some sort of central virussolution than that is your best way to go.. Trying to find what machines are sending out is not the easiest thing. You could also try and use Microsoft MBSA (Microsoft Baseline Security Analizer) to check if machines are conformed to company policy.

If you have machines there that are not on your domain and you don't have options for blocking them of getting an ip address your practically screwed..

If you'r unable to find the machine it might be a risk that this machine will infect your entire network or cloag up your network traffic.. Tbh these are worst case scenarios..
0
PaulduberryAuthor Commented:
All righty then.
0
PaulduberryAuthor Commented:
I really appreciate your help with this problem. It looks like the problem is now sorted albeit I have to find the original offender but I'm happy. Thanks again. I had almost given up hope with this one.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.