• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 562
  • Last Modified:

Undeliverable emails

Hello.  I was wondering if someone could give me some insight on the problem i'm having.  I have a user that is receiving these undeliverable email messages in their inbox.  The thing is the user is not sending these emails.  There is no indication in their sent items folder that the messages are being sent from their account.  The environment is a SBS 2003 Server with Exchange 2003 and client is xp os with outlook 2003.  I'm attaching the header and message of one of these emails.  I'm thinking these are just spam emails trying to look like undeliverables but I'd rather be sure and not end up on someones blacklist.  Here's the things I've tried already.  Scanned the user's computer for viruses, nothing came up.  Changed user's password and detected and repaired Outlook.  And they are still getting them.  
header2.txt
message2.txt
0
tourist08
Asked:
tourist08
  • 4
  • 4
  • 2
  • +2
1 Solution
 
Bruno PACIIT ConsultantCommented:
Hi,

I think these NDR messages are not spams by themselves but are answers to spams sent by someone on Internet that is using your users email addresses as the sender of the forged messages.

This is a classical spoofing attempt to deliver spams:
The spammer connects on a computer somewhere on Internet and starts to send forged e-mail messages. If the spammer uses absolutly random sender e-mail address in its forged messages these spam emails would be easily refused by target SMTP servers if these servers check existence of the sender mail domain and the sender mailbox...

So, usually spammers use real e-mail addresses to fill the sender field of their forged spam e-mails.

The result is that if the target server can not deliver the spams it will answer to the sender that is mentioned in the spam header. That's why you receive NDR for e-mails you have never sent. This is just because your e-mail is used by a spammer somewhere on Internet.

Have a good day.
0
 
tourist08Author Commented:
PaciB  so with your answer, I should not have to worry about my email server being blacklisted?  
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
nole172Commented:
YiHateu is correct.  Someone is using your user's email account to send spam emails out.  It is ridiculously easy to use someone else's email address as the sender's email address.  That was a feature way back in the day when you might send an email from work, but want a reply email to go to your home email address, for instance.  What that "feature" means is that it is very easy to spoof an email address.  I can easily send you an email appears to come from obama@whitehouse.gov.

There is really nothing you can do about it but tell the user to ignore those emails, or write a email filter to delete them or send them to a folder.  I am assuming you would not want to give the user a new email address and disable the old one...

0
 
Bruno PACIIT ConsultantCommented:
Hi again,

By the way, the header of the NDR message contains all the informations to proove the scenario I explained. Look at these lines on the header:

Return-Path: <ouruser@ourdomain.com>
Received: from 166.172.148.190.dsl.intelnet.net.gt ([190.148.172.166] [190.148.172.166])
by sv01.nsc.no id BT-MMP-2554446; Sat, 24 Apr 2010 20:48:09 +0200


That prooves that the original e-mail has been sent from the computer named "166.172.148.190.dsl.intelnet.net.gt"... and has been sent to "sv01.nsc.no".
The spammer was using a computer connected to "intelnet.net.gt" ISP network. That doesn't mean that this computer owner is a spammer. It might be an infected computer...
If this ISP is a serious one you can inform it of this computer sending spams and it should warn the computer owner about that... But there are so much infected computers one Internet that you'll probably give up soon.

Have a good day

0
 
tourist08Author Commented:
Thanks for the help.
0
 
B HCommented:
you might consider setting up an SPF record.  that tells the world "only these ip addresses are allowed to claim to be from us".

most companies honor SPF records, and if someone from norway sends an email claiming to be from your domain, it'll be rejected without sending an NDR to you.

it takes about 10 minutes to do, and is really easy
http://old.openspf.org/wizard.html
0
 
Bruno PACIIT ConsultantCommented:
I don't think your email server will be blacklisted because normally the blacklist managers ensure that spams are really sent from a SMTP server before including it in a blacklist.
In your case, it's a SMTP domain spoofing. It is not your servers that sends spams, so you should not be blacklisted.

More and mode companies add some SMTP tests before accepting an incoming e-mail. In your example, if the e-mail server of "sv01.nsc.no" would have made a reverse DNS test it would have refused the incoming spam because the IP address of the spammer computer doesn't match with spoofer sender e-mail domain name "ourdomain.com".

Have good day
0
 
Bruno PACIIT ConsultantCommented:
By the way,
bryon4403 gave you a good advice. You should ensure that you already have created your RDNS and SPF DNS records because more and more companies make anti-spam tests and if you wan't to be able to send e-mail to any company without being rejected by their SMTP server you should follow bryon4403 advice.

And of course you should share some EE points to him
0
 
B HCommented:
points? what are points? :)
0
 
tourist08Author Commented:
sorry I jumped the gun on giving the points up bryon44035v3, but PaciB did answer my question in it's entirety.  But you did provide additional information that will help me out so if there's a way to give extra points let me know.  
0
 
tourist08Author Commented:
hey bryon44035v3  would you mind helping me out with the spf record or should I start another post?  I'm not sure in my situation if I have to set up multiple spf records or if i can do it in one.  my situation is this.  we have about 6 domains hosted at godaddy and the mx records point to our SBS 2003 Exchange Server which is hosted internally.  so all the domains show up as coming from one ip.   and that ip reverses to mail.ourmaindomain.com
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now