Solved

Undeliverable message that were not sent!

Posted on 2014-02-18
9
1,247 Views
Last Modified: 2014-03-06
One of our users received 20+ 'undeliverable messages' at about 6:00 AM this morning.
Most came from the same postmaster@sww.co.au  but also MAILER-DAEMON@uecomm.net.au


The header says:
Received: from localhost (83.222.229.28)

But that is nothing like our public IP.

I would like to give the user a bit of an explanation as to why they have had all these undeliverable messages.
I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.

Any other thoughts experts?

Thanks
Neil


Copy of a message header:

From: postmaster@ssw.com.au [mailto:postmaster@ssw.com.au]
Sent: 18 February 2014 05:54
To: Our User
Subject: Undeliverable: Caution, You have delayed email on Amazon


Delivery has failed to these recipients or groups:

girlfritendwill@ssw.com.au
The email address that you entered couldn't be found. Check the address and try resending the message. If the problem continues, please contact your helpdesk.


The following organisation rejected your message: SYDEXCH2013P01.sydney.ssw.com.au.







Diagnostic information for administrators:

Generating server: DB3FFO11HUB061.mail.protection.outlook.com

girlfritendwill@ssw.com.au
SYDEXCH2013P01.sydney.ssw.com.au #<SYDEXCH2013P01.sydney.ssw.com.au #5.1.1 smtp;550 5.1.1 User unknown> #SMTP#

Original message headers:

Received: from DB3FFO11FD042.protection.gbl (10.47.216.30) by
 DB3FFO11HUB061.protection.gbl (10.47.217.32) with Microsoft SMTP Server (TLS)
 id 15.0.868.13; Tue, 18 Feb 2014 05:53:55 +0000
Received: from localhost (83.222.229.28) by
 DB3FFO11FD042.mail.protection.outlook.com (10.47.217.73) with Microsoft SMTP
 Server id 15.0.868.13 via Frontend Transport; Tue, 18 Feb 2014 05:53:54 +0000
From: The Amazon Reminder <our.user@ourdomain.co.uk>
Date: Tue, 18 Feb 2014 05:53:54 +0000
To: "girlfritendwill@ssw.com.au" <girlfritendwill@ssw.com.au>
Subject: Caution, You have delayed email on Amazon
X-Priority: 1
Message-ID: <a97c.7b129ec84b3@ourdomain.co.uk>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-Path: our.user@ourdomain.co.uk
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:83.222.229.28;CTRY:GB;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(6019001)(6069001)(189002)(199002)(31966008)(77096001)(76786001)(85852003)(47736001)(74482001)(87836001)(59766001)(54316002)(36756003)(77982001)(47446002)(33646001)(15975445006)(76796001)(56776001)(79102001)(83072002)(76482001)(87266001)(85306002)(56816005)(81816001)(74366001)(90146001)(50466002)(80022001)(65816001)(69226001)(57986002)(94316002)(74662001)(74876001)(74706001)(93136001)(74502001)(92726001)(4396001)(558084003)(15202345003)(92566001)(16799955002)(20776003)(95666001)(44976005)(83322001)(23676002)(95416001)(23846002)(15188155005)(51856001)(53806001)(80976001)(76176001)(50986001)(94946001)(47976001)(81342001)(25786004)(19580395003)(76506004)(63696002)(46102001)(86362001)(93516002)(49866001)(81542001)(54356001)(6896010);DIR:INB;SFP:;SCL:5;SRVR:DB3FFO11HUB061;H:localhost;CLIP:83.222.229.28;FPR:AED7DDE7.5CB3D7CD.9053F5B0.EAD5ACDA.20045;MLV:sfv;InfoDomainNonexistentMX:1;A:1;LANG:en;
Received-SPF: None (: ourdomain.co.uk does not designate permitted sender
 hosts)
0
Comment
Question by:NELMO
  • 5
  • 3
9 Comments
 
LVL 92

Expert Comment

by:John Hurst
ID: 39867791
I saw something similar to that at a client. The explanation from the ISP / Email vendor was that the client's webmail email (not his computer) was compromised and "undeliverable messages" started.

The solution was to change the webmail password to a different and more secure password. That solved the issue.

I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.


I suspect that both are possibilities. Scan for malware and change the email password right away.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39868782
localhost usually is default hostname on fedora/redhat unless somebody sets meaningful name.
Ask the network owner ( a hosting company in Canada) what happened.


$ whois 83.222.229.28
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '83.222.228.0 - 83.222.229.255'

% Abuse contact for '83.222.228.0 - 83.222.229.255' is 'abuse@peer1.com'

inetnum:        83.222.228.0 - 83.222.229.255
netname:        EU-PER1
descr:          Peer 1 Network Enterprises Limited
country:        GB
org:            ORG-PNEL1-RIPE
admin-c:        NOC116-RIPE
tech-c:         NOC116-RIPE
status:         ASSIGNED PA
mnt-by:         PNE-NETADMIN-MNT
mnt-lower:      PNE-NETADMIN-MNT
mnt-domains:    PNE-NETADMIN-MNT
mnt-routes:     PNE-NETADMIN-MNT
source:         RIPE # Filtered
remarks:        INFRA-AW

organisation:   ORG-PNEL1-RIPE
org-name:       Peer 1 Network Enterprises Limited
org-type:       LIR
address:        Peer 1 Network Inc. 1000-555 West Hastings Street V6B 4N5 Vancouver Canada
phone:          +16046837747
fax-no:         +16046834634
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        PNE-NETADMIN-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        PE1
source:         RIPE # Filtered

person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.71 (WHOIS3)
0
 

Author Comment

by:NELMO
ID: 39870890
I have sent a query off to the RIPE abuse address, waiting for a reply.
However this is only one of the undeliverable messages that this user has received. The others come from various other networks (USA and India predominately).
This morning he received another batch of 20 Undeliverables!

I have checked his account through Exchange Manager and there is no record of emails being sent from his address so I am safe to assume the problem is not at this end.
What are the relevant parts of the header that I should look at to try and track where it is originating from (or is that possible).

He has quickly gone from "What is going on" to "JUST GET THIS SORTED"
0
 
LVL 61

Expert Comment

by:gheist
ID: 39870963
Probably some of his contacts got some outlook virus and sends mass mails in his name and he gets bounces. You can add some DNSBL checks to your incoming mailer but in general to stop it his friend must clean the viruses.
Examnie carefully all headers of original mails included in bounce messages.
Dont send anything to RIPE, they dont spam anybody, they just issue IP addresses in europe.
This is IP owner:
person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 61

Expert Comment

by:gheist
ID: 39871374
Actually your message misses headers (they dont tell where YOU received it from) and outlook.com headers seem fake.
0
 

Author Comment

by:NELMO
ID: 39873317
I now have another user getting the same (although not as many - yet) undeliverable mail messages.
They are being returned from a variety of sources - a university in Boston USA, a Web Designer from Australia and a Technology Company in India!

gheist:
I looked into DNSBL (very interesting). Got to the dnsbl-check site and ran a check on our mail server. We got the 'all clear' as I expected. I could block the IP addresses of where the 'undeliverables' come from, but that would be no good, it is legitimate mailservers answering wrong addressees.

The two users both have hundreds of contacts (many that would overlap), it would be impossible to find out which one is infected , as I am sure one or more of them are.

For now I am getting them just to delete the messages and hope their occurance slows down.

For now I am stumped!!
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 39873437
You can dig something from headers
I just checkedL
http://www.dnsbl.info/dnsbl-database-check.php
the only address you shares sends spam backscatter (the one your bosses are getting), so you can block bounces (i.e empty MAIL FROM) from backscatter IPs (easy to say, probably hard to implement on your mailer even it supports DNSBL, good luck)
4xx will also make their problems noticeable to them by filling their mail queues.

Normally nowadays mail server is expected to reject wrong mail in SMTP session as well as possible, and not queue mail for unknown users and then send mail bounce message.
0
 

Author Closing Comment

by:NELMO
ID: 39909000
Spam is still just something we all have to live with, but your links to the dnsbl sites have given me some more tools for finding information to give to my users.

Thanks

Neil
0
 
LVL 61

Expert Comment

by:gheist
ID: 39909800
You can implement DNSBL checks and prevent most prevalent classes of SPAM
I.E
User sends you spam mail (as attachment so you see the headers)
You dig originating IP
You find the easiest way to block class of spam (dnsbl...)
And tell user to tell you if they get more spam...
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my first article on Expert Exchange on the Manual Method of Exporting Office 365 Mailboxes to PST format by using the eDiscovery mechanism of Office. Hope you will enjoy the article.
Read this checklist to learn more about the 15 things you should never include in an email signature.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now