Solved

Mystery email delivery

Posted on 2014-02-03
16
322 Views
Last Modified: 2014-03-19
We have an Exchange 2010 (SBS) server which is delivering small amounts of spam to a particular address that doesn't (or shouldn't) exist. The email appears to be being sent to nonexistantuser@domain.com and it's being delivered to user1@domain.com, user2@domain.com and user3@domain.com - This suggests it might be an address on an internal distribution list but we can't find anything to support this theory. It's only a small company so we've been through the Exchange mailboxes looking for this address but can't find it anywhere.

In short, it's being received on an address that shouldn't exist and it's arriving in several people's (but not eveyone's) mailboxes.

Looking at the header of the email, there's no evidence to suggest that it's being received on a BCC - the only email addresses mentioned are the sender and the unknown address on our client's domain.

The server is generally well configured and not set to receive 'catch all' emails.

The email also shows that it has been scanned for malware prior to delivery which suggests that it doesn't originate from within the local network since the scanning is outsourced and only scans external emails.

Any ideas?
0
Comment
Question by:edz_pgt
  • 8
  • 5
  • 2
  • +1
16 Comments
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
Hello,

Have you tried running a query in active directory for the unknown email address? It may be setup as an alias for a group.

See:
http://exchangepedia.com/2006/03/how-to-find-an-email-address-in-active-directory.html
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Thanks - some interesting ways to find addresses there. However, this PowerShell command returns nothing (I entered the actual email address in the search string!):

get-recipient | where {$_.emailaddresses -match “foo@domain.com”} | select name,emailaddresses

Looks like the server isn't aware of this address?
0
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
Interesting.  Have you tried emailing the address yourself to see if it actually delivers?

Also, in your Anti-Spam settings do you have 'Black Messages sent to recipients that do not existing in the directory' ticked?    (Org Conf>Hub Transport> Anti-Spam> Recipient filtering>Blocked Recipients)
0
 
LVL 9

Expert Comment

by:rawinnlnx9
Comment Utility
What kind of SPAM filter are you using? I'm guessing your server may be the source of the SPAM and I'd investigate that. At DNS stuff there's a load of tools that can help you.

Here is the SPF record for domain.com it lists all the IP addresses in use for sending mail. Now you can try blocking those IP's using your Exchange tools or your firewall.

"v=spf1 mx ip4:69.63.211.0/25 ip4:64.85.73.0/25 ip4:70.103.251.0/24 ip4:63.251.171.160/27 ip4:216.34.94.160/27 include:rnmk.com include:custhelp.com include:salesforce.com include:emailbrain.com -all"

If you block mail from those IP's and you are still getting the spam make sure your SPAM filter is doing reverse lookups on domains and checking their SPF records.
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Good thinking.

Yes, there's a tick in that box.

Sending an email to that address from outside actually bounces back as undeliverable so this must be being sent some other way.

I'd like to have someone send an email internally but they've all gone home now.

Am I correct in thinking that the header code in an email message will always display the receiving email address even if it's received on a BCC address?
I've done a test using a couple of unrelated email addresses and and I can see the BCC'd address in my received test message. I would just like to rule this out though.
0
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
You could log into OWA as the admin and send the message.  If you don't get a bounce back then check the tracking logs to see where its gone.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Sounds like standard spoofed sender spam.
Looking in the headers for evidence of BCC isn't going to help, because there will be none - otherwise it wouldn't be a blind copy.

Standard spammers technique is to put an email address in the target domain in the To line, BCC all other recipients, in the hope that the email admin has whitelisted their own domain.

If there are headers then it is coming from outside, so you need to look at the whitelisting to see if the domain has been whitelisted.

Simon.
0
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
The price of on line email filtering is relatively low now. It would be worth considering it.

I can recommend Spambrella.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Hi Simon,

I'm not sure why you'd say that. I tested the BCC theory before I suggested it. I agree that showing all BCC addresses in the header as it goes to each recipient doesn't happen and would be stupid. However, each recipient does see their own address in the header as in the following header. This header was taken from the email received by the BCC recipient in my test:

Delivered-To: bcc-address@recipient2.com
Received: by 10.66.0.227 with SMTP id 3csp144600pah;
        Mon, 3 Feb 2014 07:48:36 -0800 (PST)
X-Received: by 10.14.221.129 with SMTP id r1mr634812eep.113.1391442516299;
        Mon, 03 Feb 2014 07:48:36 -0800 (PST)
Return-Path: <sender@sender.com>
Received: from psmtp.com (eu1sys200amx136.postini.com [207.126.144.225])
        by mx.google.com with SMTP id h44si20604870eew.59.2014.02.03.07.48.27
        for <bcc-address@recipient2.com>
        (version=TLSv1 cipher=RC4-SHA bits=128/128);
        Mon, 03 Feb 2014 07:48:36 -0800 (PST)
Received-SPF: pass (google.com: domain of sender@sender.com designates 213.199.154.10 as permitted sender) client-ip=213.199.154.10;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of sender@sender.com designates 213.199.154.10 as permitted sender) smtp.mail=sender@sender.com
Received: from emea01-am1-obe.outbound.protection.outlook.com ([213.199.154.10]) (using TLSv1) by eu1sys200amx136.postini.com ([207.126.147.10]) with SMTP;
	Mon, 03 Feb 2014 15:48:28 GMT
Received: from DB3PR05MB025.eurprd05.prod.outlook.com (10.242.137.12) by
 DB3PR05MB027.eurprd05.prod.outlook.com (10.242.137.18) with Microsoft SMTP
 Server (TLS) id 15.0.868.8; Mon, 3 Feb 2014 15:48:26 +0000
Received: from DB3PR05MB025.eurprd05.prod.outlook.com ([169.254.1.244]) by
 DB3PR05MB025.eurprd05.prod.outlook.com ([169.254.1.208]) with mapi id
 15.00.0868.013; Mon, 3 Feb 2014 15:48:25 +0000
From: Joe Soap <sender@sender.com>
To: "to-address@recipient1.com" <to-address@recipient1.com>
Subject: RE: Message1545
Thread-Topic: Message1545
Thread-Index: AQHPIPb+pMsdheql6UiMIvVckYdT7pqjrLLF
Date: Mon, 3 Feb 2014 15:48:25 +0000
Message-ID: <5b8ff4d33d754d8097592a8d5339f8f8@DB3PR05MB025.eurprd05.prod.outlook.com>
References: <CAOWh5tQ8zVEGiCQQA1MyvJ6mWcmi8bGwTyVv1w_=70J9tDaQCw@mail.gmail.com>
In-Reply-To: <CAOWh5tQ8zVEGiCQQA1MyvJ6mWcmi8bGwTyVv1w_=70J9tDaQCw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [82.17.211.106]
x-forefront-prvs: 01110342A5
x-forefront-antispam-report: SFV:NSPM;SFS:(10009001)(71364002)(189002)(199002)(74316001)(53806001)(76482001)(85306002)(83322001)(51856001)(80022001)(66066001)(65816001)(19580395003)(87936001)(54356001)(16236675002)(63696002)(54316002)(76576001)(47446002)(74502001)(56776001)(74662001)(31966008)(74706001)(76796001)(19580405001)(76786001)(80976001)(46102001)(79102001)(33646001)(85806002)(2656002)(74876001)(15202345003)(92566001)(89136003)(77096001)(19617315010)(64872005)(15975445006)(94946001)(83072002)(18206015023)(86442001)(94316002)(81342001)(81816001)(81686001)(81542001)(87266001)(93136001)(85852003)(77982001)(59766001)(74366001)(56816005)(90146001)(93516002)(86362001)(1411001)(4396001)(50986001)(69226001)(47976001)(47736001)(49866001)(146863001)(24736002)(83022001);DIR:OUT;SFP:1101;SCL:1;SRVR:DB3PR05MB027;H:DB3PR05MB025.eurprd05.prod.outlook.com;CLIP:82.17.211.106;FPR:F4CC45AC.AC25DF59.1BD353A4.44E1E84C.2024C;InfoNoRecordsMX:1;A:0;LANG:en;
Content-Type: multipart/alternative;
	boundary="_000_5b8ff4d33d754d8097592a8d5339f8f8DB3PR05MB025eurprd05pro_"
MIME-Version: 1.0
X-OriginatorOrg: lindaven.onmicrosoft.com
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:96.66745/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-dkim: 0 skipped:not-enabled
X-pstn-settings: 3 (1.0000:1.0000) s cv gt4 gt3 gt2 gt1 r p m c
X-pstn-addresses: from <sender@sender.com> [2647/102]
X-pstn-nxpr: disp=neutral, envrcpt=bcc-address@recipient2.com
X-pstn-nxp: bodyHash=1a0f69c71150adbee4143727f4424f3567feba13, headerHash=b3f7fa74e98e3ea4f24b337bfa509ac5d7be8a63, keyName=4, rcptHash=8f59433f85a37ca384160df276de5819f18f00a1, sourceip=213.199.154.10, version=1

--_000_5b8ff4d33d754d8097592a8d5339f8f8DB3PR05MB025eurprd05pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Open in new window

0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Thanks David but the mail is filtered externally. As I say, the mail bounces back if you try to email in to that address from outside.

I will hopefully try the OWA test you suggested shortly though - thanks.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Its spam - therefore the header information cannot be trusted. Nothing in the header is worth looking at because it is usually all faked.

Simon.
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Would whatever lies the spam had in it not be appended by the Exchange server as it passed through it?
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
The internal email failed to send. So, it must be received on a different address. I am puzzled as to how it arrives without headers being added by the server though.
0
 
LVL 22

Expert Comment

by:David Atkin
Comment Utility
As Simon said, it will be BCC'ing various other addresses as well.  So although it says its sending to an unknown email address its probably bcc'd their actual addresses.

You could try blocking the source IP address but they will likely change it in the future.
0
 
LVL 1

Accepted Solution

by:
edz_pgt earned 0 total points
Comment Utility
This was actually received in tact by the spam filtering service (3rd party) but the headers we needed to see were stripped before it was forwarded to us.

We were receiving the BCC as we'd originally suspected but the headers were tampered with and this threw us off. It wasn't spoofed by the spammer though. When we got the full message from the filtering company it all made sense.
0
 
LVL 1

Author Closing Comment

by:edz_pgt
Comment Utility
Thanks for your hints guys.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now