?
Solved

SPAM mail

Posted on 2011-05-03
5
Medium Priority
?
662 Views
Last Modified: 2012-06-21
Hi,

I had a spam mail undelivery message delivered to a critical user of mine. Could someone please help me to understand how this message is coming through and how the user is getting a undeliverable message when he had not sent the mail in the first place.

The user is going to log an incident with Information security and I need to know if this is just a case of his mail address being used in a spam incident and what we could do to prevent this.

The original message -

-----Original Message-----
From: robertnn@alpha-business-centre.co.uk [mailto:robertnn@alpha-business-centre.co.uk]
Sent: 02 May 2011 21:16
To: robertnn@alpha-business-centre.co.uk; robertn@alpha-business-centre.co.uk; sales@alpha-business-centre.co.uk; wttqcttfmpctpp@alpha-business-centre.co.uk; veronica@alpha-business-centre.co.uk
Subject: from Lucile

I'm a atractive blonde, and I wish to become a pen pal (by email or Skype) of a handsome and clever guy, interested in further real dates!

My home page: www.rus-flirt.ru

The Undelivery message

From: Mail Delivery System <MAILER-DAEMON@localhost.ukdatastore.com>
To: robertnn@alpha-business-centre.co.uk <robertnn@alpha-business-centre.co.uk>; wttqcttfmpctpp@alpha-business-centre.co.uk <wttqcttfmpctpp@alpha-business-centre.co.uk>; robertn@alpha-business-centre.co.uk <robertn@alpha-business-centre.co.uk>; veronica@alpha-business-centre.co.uk <veronica@alpha-business-centre.co.uk>
Sent: Mon May 02 17:46:21 2011
Subject: Undeliverable: from Lucile


Delivery has failed to these recipients or distribution lists:

robertnn@alpha-business-centre.co.uk
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

wttqcttfmpctpp@alpha-business-centre.co.uk
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

robertn@alpha-business-centre.co.uk
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

veronica@alpha-business-centre.co.uk
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.



Diagnostic information for administrators:

Generating server: localhost.ukdatastore.com

robertnn@alpha-business-centre.co.uk
#< #5.0.0 X-Postfix; user unknown. Command output: Invalid user specified.> #SMTP#

wttqcttfmpctpp@alpha-business-centre.co.uk
#< #5.0.0 X-Postfix; user unknown. Command output: Invalid user specified.> #SMTP#

robertn@alpha-business-centre.co.uk
#< #5.0.0 X-Postfix; user unknown. Command output: Invalid user specified.> #SMTP#

veronica@alpha-business-centre.co.uk
#< #5.0.0 X-Postfix; user unknown. Command output: Invalid user specified.> #SMTP#

Original message headers:

Received: from sura.ru (host-93-124-1-159.dsl.sura.ru [93.124.1.159])      by
 localhost.ukdatastore.com (Postfix) with ESMTP id 2AC63EE025;      Mon,  2 May
 2011 16:46:18 +0100 (BST)
Received: from  93.124.1.159 (account <robertnn@alpha-business-centre.co.uk>,
      <robertn@alpha-business-centre.co.uk>,
      <sales@alpha-business-centre.co.uk>,
      <wttqcttfmpctpp@alpha-business-centre.co.uk>,
      <veronica@alpha-business-centre.co.uk> HELO alpha-business-centre.co.uk)
      by alpha-business-centre.co.uk (CommuniGate Pro SMTP 5.2.3)
      with ESMTPA id 654114290 for <robertnn@alpha-business-centre.co.uk>; Mon, 2 May 2011 18:46:18 +0300
From: <robertnn@alpha-business-centre.co.uk>,
      <robertn@alpha-business-centre.co.uk>, <sales@alpha-business-centre.co.uk>,
      <wttqcttfmpctpp@alpha-business-centre.co.uk>,
      <veronica@alpha-business-centre.co.uk>
To: <robertnn@alpha-business-centre.co.uk>,
      <robertn@alpha-business-centre.co.uk>, <sales@alpha-business-centre.co.uk>,
      <wttqcttfmpctpp@alpha-business-centre.co.uk>,
      <veronica@alpha-business-centre.co.uk>
Subject: from Lucile
Date: Mon, 2 May 2011 18:46:18 +0300
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: erjovftfnn-71
Message-ID: <9119358522.I7ZCO03W092370@qqfpwhvh.xstbwhajvtjeg.biz>
X-Antivirus: avast! (VPS 110502-0, 02.05.2011), Outbound message
X-Antivirus-Status: Clean





0
Comment
Question by:rax2473
  • 3
  • 2
5 Comments
 
LVL 100

Expert Comment

by:John Hurst
ID: 35513017
It is coming from here (look down near the bottom for the last IP address (93.124.1.159):

Valery Petrov
Penza
Kuprina street 1/3
Russia
phone: +7 8412 551038
fax: +7 8412 552537
petroff@sura.ru

Alexey Perov
Volgatelecom
Kuprina, 1/3
Penza
Russia
phone: +7 8412 520215
fax: +7 8412 553541
algardo@sura.ru

It is standard spoofed email, so I don't know if you can prevent it. I see mail from myself in my spam filters frequently.

Make sure:
1. Your spam filters are trapping this stuff. I tend not to whitelist myself.
2. Your company email or internet are not seen as open relays.
3. That the user's computer has not been compromised with malware. Malware to take over a user's email engine is very common.

... Thinkpads_User
 
0
 
LVL 1

Author Comment

by:rax2473
ID: 35514352
Hi,

Thank you so much for the reply. But could I please know how you could zero in on the address.

How can we ensure that our domain email address is not seen as a open relay.

How do we Blacklist these email addresses algardo@sura.ru & petroff@sura.ru when I am not sure whether they were the actual perpetrators of this spoof?




0
 
LVL 100

Accepted Solution

by:
John Hurst earned 1500 total points
ID: 35514888
In terms of finding the offending IP address, it is normally near the bottom. I just read it off your post.

In terms of blacklisting, that is a function of your spam filter. The method varies by filter. Let us know what spam control you are using.

The support addresses I posted are NOT the perpetrators, rather they are the owners of the domain used for spamming. You have to contact them if you want to carry it further, but I do not find that helpful. I just use a really good spam filter (spamassassin).

... Thinkpads_User
0
 
LVL 1

Author Closing Comment

by:rax2473
ID: 35515442
I got a complete picture of the whole scenario and even if I did not get the solution for how to get the address from him, i truly feel that the user's knowledge and promptness in answering my query had gained him brownie points from me straight away.

Thank you so much for this forum.
0
 
LVL 100

Expert Comment

by:John Hurst
ID: 35515580
You are most welcome, and I was pleased to assist.   ... Thinkpads_User
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Convert websphere application server default chained Certificates from 1024 to 2048 keysize or higher size and also you can change signatureAlgorithm . Please make sure Websphere Application Server fixpack 7.0.0.23 or Above. The following steps a…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
There may be issues when you are trying to access Outlook or send & receive emails or due to Outlook crash which leads to corrupt or damaged PST file. To eliminate the corruption from your PST file, you need to repair the corrupt Outlook PST file. U…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question