Go Premium for a chance to win a PS4. Enter to Win


Undeliverable message that were not sent!

Posted on 2014-02-18
Medium Priority
Last Modified: 2014-03-06
One of our users received 20+ 'undeliverable messages' at about 6:00 AM this morning.
Most came from the same postmaster@sww.co.au  but also MAILER-DAEMON@uecomm.net.au

The header says:
Received: from localhost (

But that is nothing like our public IP.

I would like to give the user a bit of an explanation as to why they have had all these undeliverable messages.
I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.

Any other thoughts experts?


Copy of a message header:

From: postmaster@ssw.com.au [mailto:postmaster@ssw.com.au]
Sent: 18 February 2014 05:54
To: Our User
Subject: Undeliverable: Caution, You have delayed email on Amazon

Delivery has failed to these recipients or groups:

The email address that you entered couldn't be found. Check the address and try resending the message. If the problem continues, please contact your helpdesk.

The following organisation rejected your message: SYDEXCH2013P01.sydney.ssw.com.au.

Diagnostic information for administrators:

Generating server: DB3FFO11HUB061.mail.protection.outlook.com

SYDEXCH2013P01.sydney.ssw.com.au #<SYDEXCH2013P01.sydney.ssw.com.au #5.1.1 smtp;550 5.1.1 User unknown> #SMTP#

Original message headers:

Received: from DB3FFO11FD042.protection.gbl ( by
 DB3FFO11HUB061.protection.gbl ( with Microsoft SMTP Server (TLS)
 id 15.0.868.13; Tue, 18 Feb 2014 05:53:55 +0000
Received: from localhost ( by
 DB3FFO11FD042.mail.protection.outlook.com ( with Microsoft SMTP
 Server id 15.0.868.13 via Frontend Transport; Tue, 18 Feb 2014 05:53:54 +0000
From: The Amazon Reminder <our.user@ourdomain.co.uk>
Date: Tue, 18 Feb 2014 05:53:54 +0000
To: "girlfritendwill@ssw.com.au" <girlfritendwill@ssw.com.au>
Subject: Caution, You have delayed email on Amazon
X-Priority: 1
Message-ID: <a97c.7b129ec84b3@ourdomain.co.uk>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-Path: our.user@ourdomain.co.uk
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:;CTRY:GB;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(6019001)(6069001)(189002)(199002)(31966008)(77096001)(76786001)(85852003)(47736001)(74482001)(87836001)(59766001)(54316002)(36756003)(77982001)(47446002)(33646001)(15975445006)(76796001)(56776001)(79102001)(83072002)(76482001)(87266001)(85306002)(56816005)(81816001)(74366001)(90146001)(50466002)(80022001)(65816001)(69226001)(57986002)(94316002)(74662001)(74876001)(74706001)(93136001)(74502001)(92726001)(4396001)(558084003)(15202345003)(92566001)(16799955002)(20776003)(95666001)(44976005)(83322001)(23676002)(95416001)(23846002)(15188155005)(51856001)(53806001)(80976001)(76176001)(50986001)(94946001)(47976001)(81342001)(25786004)(19580395003)(76506004)(63696002)(46102001)(86362001)(93516002)(49866001)(81542001)(54356001)(6896010);DIR:INB;SFP:;SCL:5;SRVR:DB3FFO11HUB061;H:localhost;CLIP:;FPR:AED7DDE7.5CB3D7CD.9053F5B0.EAD5ACDA.20045;MLV:sfv;InfoDomainNonexistentMX:1;A:1;LANG:en;
Received-SPF: None (: ourdomain.co.uk does not designate permitted sender
Question by:NELMO
  • 5
  • 3
LVL 99

Expert Comment

by:John Hurst
ID: 39867791
I saw something similar to that at a client. The explanation from the ISP / Email vendor was that the client's webmail email (not his computer) was compromised and "undeliverable messages" started.

The solution was to change the webmail password to a different and more secure password. That solved the issue.

I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.

I suspect that both are possibilities. Scan for malware and change the email password right away.
LVL 62

Expert Comment

ID: 39868782
localhost usually is default hostname on fedora/redhat unless somebody sets meaningful name.
Ask the network owner ( a hosting company in Canada) what happened.

$ whois
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to ' -'

% Abuse contact for ' -' is 'abuse@peer1.com'

inetnum: -
netname:        EU-PER1
descr:          Peer 1 Network Enterprises Limited
country:        GB
org:            ORG-PNEL1-RIPE
admin-c:        NOC116-RIPE
tech-c:         NOC116-RIPE
status:         ASSIGNED PA
mnt-by:         PNE-NETADMIN-MNT
mnt-lower:      PNE-NETADMIN-MNT
mnt-domains:    PNE-NETADMIN-MNT
mnt-routes:     PNE-NETADMIN-MNT
source:         RIPE # Filtered
remarks:        INFRA-AW

organisation:   ORG-PNEL1-RIPE
org-name:       Peer 1 Network Enterprises Limited
org-type:       LIR
address:        Peer 1 Network Inc. 1000-555 West Hastings Street V6B 4N5 Vancouver Canada
phone:          +16046837747
fax-no:         +16046834634
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        PNE-NETADMIN-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        PE1
source:         RIPE # Filtered

person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.71 (WHOIS3)

Author Comment

ID: 39870890
I have sent a query off to the RIPE abuse address, waiting for a reply.
However this is only one of the undeliverable messages that this user has received. The others come from various other networks (USA and India predominately).
This morning he received another batch of 20 Undeliverables!

I have checked his account through Exchange Manager and there is no record of emails being sent from his address so I am safe to assume the problem is not at this end.
What are the relevant parts of the header that I should look at to try and track where it is originating from (or is that possible).

He has quickly gone from "What is going on" to "JUST GET THIS SORTED"
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

LVL 62

Expert Comment

ID: 39870963
Probably some of his contacts got some outlook virus and sends mass mails in his name and he gets bounces. You can add some DNSBL checks to your incoming mailer but in general to stop it his friend must clean the viruses.
Examnie carefully all headers of original mails included in bounce messages.
Dont send anything to RIPE, they dont spam anybody, they just issue IP addresses in europe.
This is IP owner:
person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered
LVL 62

Expert Comment

ID: 39871374
Actually your message misses headers (they dont tell where YOU received it from) and outlook.com headers seem fake.

Author Comment

ID: 39873317
I now have another user getting the same (although not as many - yet) undeliverable mail messages.
They are being returned from a variety of sources - a university in Boston USA, a Web Designer from Australia and a Technology Company in India!

I looked into DNSBL (very interesting). Got to the dnsbl-check site and ran a check on our mail server. We got the 'all clear' as I expected. I could block the IP addresses of where the 'undeliverables' come from, but that would be no good, it is legitimate mailservers answering wrong addressees.

The two users both have hundreds of contacts (many that would overlap), it would be impossible to find out which one is infected , as I am sure one or more of them are.

For now I am getting them just to delete the messages and hope their occurance slows down.

For now I am stumped!!
LVL 62

Accepted Solution

gheist earned 1500 total points
ID: 39873437
You can dig something from headers
I just checkedL
the only address you shares sends spam backscatter (the one your bosses are getting), so you can block bounces (i.e empty MAIL FROM) from backscatter IPs (easy to say, probably hard to implement on your mailer even it supports DNSBL, good luck)
4xx will also make their problems noticeable to them by filling their mail queues.

Normally nowadays mail server is expected to reject wrong mail in SMTP session as well as possible, and not queue mail for unknown users and then send mail bounce message.

Author Closing Comment

ID: 39909000
Spam is still just something we all have to live with, but your links to the dnsbl sites have given me some more tools for finding information to give to my users.


LVL 62

Expert Comment

ID: 39909800
You can implement DNSBL checks and prevent most prevalent classes of SPAM
User sends you spam mail (as attachment so you see the headers)
You dig originating IP
You find the easiest way to block class of spam (dnsbl...)
And tell user to tell you if they get more spam...

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Experts Exchange expands question security options for members.
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question