Undeliverable emails

Hello.  I was wondering if someone could give me some insight on the problem i'm having.  I have a user that is receiving these undeliverable email messages in their inbox.  The thing is the user is not sending these emails.  There is no indication in their sent items folder that the messages are being sent from their account.  The environment is a SBS 2003 Server with Exchange 2003 and client is xp os with outlook 2003.  I'm attaching the header and message of one of these emails.  I'm thinking these are just spam emails trying to look like undeliverables but I'd rather be sure and not end up on someones blacklist.  Here's the things I've tried already.  Scanned the user's computer for viruses, nothing came up.  Changed user's password and detected and repaired Outlook.  And they are still getting them.  
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bruno PACIIT ConsultantCommented:

I think these NDR messages are not spams by themselves but are answers to spams sent by someone on Internet that is using your users email addresses as the sender of the forged messages.

This is a classical spoofing attempt to deliver spams:
The spammer connects on a computer somewhere on Internet and starts to send forged e-mail messages. If the spammer uses absolutly random sender e-mail address in its forged messages these spam emails would be easily refused by target SMTP servers if these servers check existence of the sender mail domain and the sender mailbox...

So, usually spammers use real e-mail addresses to fill the sender field of their forged spam e-mails.

The result is that if the target server can not deliver the spams it will answer to the sender that is mentioned in the spam header. That's why you receive NDR for e-mails you have never sent. This is just because your e-mail is used by a spammer somewhere on Internet.

Have a good day.
tourist08Author Commented:
PaciB  so with your answer, I should not have to worry about my email server being blacklisted?  
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

YiHateu is correct.  Someone is using your user's email account to send spam emails out.  It is ridiculously easy to use someone else's email address as the sender's email address.  That was a feature way back in the day when you might send an email from work, but want a reply email to go to your home email address, for instance.  What that "feature" means is that it is very easy to spoof an email address.  I can easily send you an email appears to come from obama@whitehouse.gov.

There is really nothing you can do about it but tell the user to ignore those emails, or write a email filter to delete them or send them to a folder.  I am assuming you would not want to give the user a new email address and disable the old one...

Bruno PACIIT ConsultantCommented:
Hi again,

By the way, the header of the NDR message contains all the informations to proove the scenario I explained. Look at these lines on the header:

Return-Path: <ouruser@ourdomain.com>
Received: from ([] [])
by sv01.nsc.no id BT-MMP-2554446; Sat, 24 Apr 2010 20:48:09 +0200

That prooves that the original e-mail has been sent from the computer named ""... and has been sent to "sv01.nsc.no".
The spammer was using a computer connected to "intelnet.net.gt" ISP network. That doesn't mean that this computer owner is a spammer. It might be an infected computer...
If this ISP is a serious one you can inform it of this computer sending spams and it should warn the computer owner about that... But there are so much infected computers one Internet that you'll probably give up soon.

Have a good day


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tourist08Author Commented:
Thanks for the help.
B HCommented:
you might consider setting up an SPF record.  that tells the world "only these ip addresses are allowed to claim to be from us".

most companies honor SPF records, and if someone from norway sends an email claiming to be from your domain, it'll be rejected without sending an NDR to you.

it takes about 10 minutes to do, and is really easy
Bruno PACIIT ConsultantCommented:
I don't think your email server will be blacklisted because normally the blacklist managers ensure that spams are really sent from a SMTP server before including it in a blacklist.
In your case, it's a SMTP domain spoofing. It is not your servers that sends spams, so you should not be blacklisted.

More and mode companies add some SMTP tests before accepting an incoming e-mail. In your example, if the e-mail server of "sv01.nsc.no" would have made a reverse DNS test it would have refused the incoming spam because the IP address of the spammer computer doesn't match with spoofer sender e-mail domain name "ourdomain.com".

Have good day
Bruno PACIIT ConsultantCommented:
By the way,
bryon4403 gave you a good advice. You should ensure that you already have created your RDNS and SPF DNS records because more and more companies make anti-spam tests and if you wan't to be able to send e-mail to any company without being rejected by their SMTP server you should follow bryon4403 advice.

And of course you should share some EE points to him
B HCommented:
points? what are points? :)
tourist08Author Commented:
sorry I jumped the gun on giving the points up bryon44035v3, but PaciB did answer my question in it's entirety.  But you did provide additional information that will help me out so if there's a way to give extra points let me know.  
tourist08Author Commented:
hey bryon44035v3  would you mind helping me out with the spf record or should I start another post?  I'm not sure in my situation if I have to set up multiple spf records or if i can do it in one.  my situation is this.  we have about 6 domains hosted at godaddy and the mx records point to our SBS 2003 Exchange Server which is hosted internally.  so all the domains show up as coming from one ip.   and that ip reverses to mail.ourmaindomain.com
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.