Solved

Undeliverable message that were not sent!

Posted on 2014-02-18
9
1,233 Views
Last Modified: 2014-03-06
One of our users received 20+ 'undeliverable messages' at about 6:00 AM this morning.
Most came from the same postmaster@sww.co.au  but also MAILER-DAEMON@uecomm.net.au


The header says:
Received: from localhost (83.222.229.28)

But that is nothing like our public IP.

I would like to give the user a bit of an explanation as to why they have had all these undeliverable messages.
I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.

Any other thoughts experts?

Thanks
Neil


Copy of a message header:

From: postmaster@ssw.com.au [mailto:postmaster@ssw.com.au]
Sent: 18 February 2014 05:54
To: Our User
Subject: Undeliverable: Caution, You have delayed email on Amazon


Delivery has failed to these recipients or groups:

girlfritendwill@ssw.com.au
The email address that you entered couldn't be found. Check the address and try resending the message. If the problem continues, please contact your helpdesk.


The following organisation rejected your message: SYDEXCH2013P01.sydney.ssw.com.au.







Diagnostic information for administrators:

Generating server: DB3FFO11HUB061.mail.protection.outlook.com

girlfritendwill@ssw.com.au
SYDEXCH2013P01.sydney.ssw.com.au #<SYDEXCH2013P01.sydney.ssw.com.au #5.1.1 smtp;550 5.1.1 User unknown> #SMTP#

Original message headers:

Received: from DB3FFO11FD042.protection.gbl (10.47.216.30) by
 DB3FFO11HUB061.protection.gbl (10.47.217.32) with Microsoft SMTP Server (TLS)
 id 15.0.868.13; Tue, 18 Feb 2014 05:53:55 +0000
Received: from localhost (83.222.229.28) by
 DB3FFO11FD042.mail.protection.outlook.com (10.47.217.73) with Microsoft SMTP
 Server id 15.0.868.13 via Frontend Transport; Tue, 18 Feb 2014 05:53:54 +0000
From: The Amazon Reminder <our.user@ourdomain.co.uk>
Date: Tue, 18 Feb 2014 05:53:54 +0000
To: "girlfritendwill@ssw.com.au" <girlfritendwill@ssw.com.au>
Subject: Caution, You have delayed email on Amazon
X-Priority: 1
Message-ID: <a97c.7b129ec84b3@ourdomain.co.uk>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-Path: our.user@ourdomain.co.uk
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:83.222.229.28;CTRY:GB;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(6019001)(6069001)(189002)(199002)(31966008)(77096001)(76786001)(85852003)(47736001)(74482001)(87836001)(59766001)(54316002)(36756003)(77982001)(47446002)(33646001)(15975445006)(76796001)(56776001)(79102001)(83072002)(76482001)(87266001)(85306002)(56816005)(81816001)(74366001)(90146001)(50466002)(80022001)(65816001)(69226001)(57986002)(94316002)(74662001)(74876001)(74706001)(93136001)(74502001)(92726001)(4396001)(558084003)(15202345003)(92566001)(16799955002)(20776003)(95666001)(44976005)(83322001)(23676002)(95416001)(23846002)(15188155005)(51856001)(53806001)(80976001)(76176001)(50986001)(94946001)(47976001)(81342001)(25786004)(19580395003)(76506004)(63696002)(46102001)(86362001)(93516002)(49866001)(81542001)(54356001)(6896010);DIR:INB;SFP:;SCL:5;SRVR:DB3FFO11HUB061;H:localhost;CLIP:83.222.229.28;FPR:AED7DDE7.5CB3D7CD.9053F5B0.EAD5ACDA.20045;MLV:sfv;InfoDomainNonexistentMX:1;A:1;LANG:en;
Received-SPF: None (: ourdomain.co.uk does not designate permitted sender
 hosts)
0
Comment
Question by:NELMO
  • 5
  • 3
9 Comments
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
I saw something similar to that at a client. The explanation from the ISP / Email vendor was that the client's webmail email (not his computer) was compromised and "undeliverable messages" started.

The solution was to change the webmail password to a different and more secure password. That solved the issue.

I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.


I suspect that both are possibilities. Scan for malware and change the email password right away.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
localhost usually is default hostname on fedora/redhat unless somebody sets meaningful name.
Ask the network owner ( a hosting company in Canada) what happened.


$ whois 83.222.229.28
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '83.222.228.0 - 83.222.229.255'

% Abuse contact for '83.222.228.0 - 83.222.229.255' is 'abuse@peer1.com'

inetnum:        83.222.228.0 - 83.222.229.255
netname:        EU-PER1
descr:          Peer 1 Network Enterprises Limited
country:        GB
org:            ORG-PNEL1-RIPE
admin-c:        NOC116-RIPE
tech-c:         NOC116-RIPE
status:         ASSIGNED PA
mnt-by:         PNE-NETADMIN-MNT
mnt-lower:      PNE-NETADMIN-MNT
mnt-domains:    PNE-NETADMIN-MNT
mnt-routes:     PNE-NETADMIN-MNT
source:         RIPE # Filtered
remarks:        INFRA-AW

organisation:   ORG-PNEL1-RIPE
org-name:       Peer 1 Network Enterprises Limited
org-type:       LIR
address:        Peer 1 Network Inc. 1000-555 West Hastings Street V6B 4N5 Vancouver Canada
phone:          +16046837747
fax-no:         +16046834634
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        PNE-NETADMIN-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        PE1
source:         RIPE # Filtered

person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.71 (WHOIS3)
0
 

Author Comment

by:NELMO
Comment Utility
I have sent a query off to the RIPE abuse address, waiting for a reply.
However this is only one of the undeliverable messages that this user has received. The others come from various other networks (USA and India predominately).
This morning he received another batch of 20 Undeliverables!

I have checked his account through Exchange Manager and there is no record of emails being sent from his address so I am safe to assume the problem is not at this end.
What are the relevant parts of the header that I should look at to try and track where it is originating from (or is that possible).

He has quickly gone from "What is going on" to "JUST GET THIS SORTED"
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Probably some of his contacts got some outlook virus and sends mass mails in his name and he gets bounces. You can add some DNSBL checks to your incoming mailer but in general to stop it his friend must clean the viruses.
Examnie carefully all headers of original mails included in bounce messages.
Dont send anything to RIPE, they dont spam anybody, they just issue IP addresses in europe.
This is IP owner:
person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 61

Expert Comment

by:gheist
Comment Utility
Actually your message misses headers (they dont tell where YOU received it from) and outlook.com headers seem fake.
0
 

Author Comment

by:NELMO
Comment Utility
I now have another user getting the same (although not as many - yet) undeliverable mail messages.
They are being returned from a variety of sources - a university in Boston USA, a Web Designer from Australia and a Technology Company in India!

gheist:
I looked into DNSBL (very interesting). Got to the dnsbl-check site and ran a check on our mail server. We got the 'all clear' as I expected. I could block the IP addresses of where the 'undeliverables' come from, but that would be no good, it is legitimate mailservers answering wrong addressees.

The two users both have hundreds of contacts (many that would overlap), it would be impossible to find out which one is infected , as I am sure one or more of them are.

For now I am getting them just to delete the messages and hope their occurance slows down.

For now I am stumped!!
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
Comment Utility
You can dig something from headers
I just checkedL
http://www.dnsbl.info/dnsbl-database-check.php
the only address you shares sends spam backscatter (the one your bosses are getting), so you can block bounces (i.e empty MAIL FROM) from backscatter IPs (easy to say, probably hard to implement on your mailer even it supports DNSBL, good luck)
4xx will also make their problems noticeable to them by filling their mail queues.

Normally nowadays mail server is expected to reject wrong mail in SMTP session as well as possible, and not queue mail for unknown users and then send mail bounce message.
0
 

Author Closing Comment

by:NELMO
Comment Utility
Spam is still just something we all have to live with, but your links to the dnsbl sites have given me some more tools for finding information to give to my users.

Thanks

Neil
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You can implement DNSBL checks and prevent most prevalent classes of SPAM
I.E
User sends you spam mail (as attachment so you see the headers)
You dig originating IP
You find the easiest way to block class of spam (dnsbl...)
And tell user to tell you if they get more spam...
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
The purpose of this video is to demonstrate how to use PicMonkey software to customize images for a Mailchimp campaign. Picmonkey is free and simple online software which can be used by users who don’t have robust editing software such as Photoshop,…
This Micro Tutorial demonstrates  how Internet marketers work with competitive analysis data, and a common task in data preparation is creating separate column for domains. You will then extract from a list of URLs.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now