Undeliverable message that were not sent!

Posted on 2014-02-18
Medium Priority
Last Modified: 2014-03-06
One of our users received 20+ 'undeliverable messages' at about 6:00 AM this morning.
Most came from the same postmaster@sww.co.au  but also MAILER-DAEMON@uecomm.net.au

The header says:
Received: from localhost (

But that is nothing like our public IP.

I would like to give the user a bit of an explanation as to why they have had all these undeliverable messages.
I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.

Any other thoughts experts?


Copy of a message header:

From: postmaster@ssw.com.au [mailto:postmaster@ssw.com.au]
Sent: 18 February 2014 05:54
To: Our User
Subject: Undeliverable: Caution, You have delayed email on Amazon

Delivery has failed to these recipients or groups:

The email address that you entered couldn't be found. Check the address and try resending the message. If the problem continues, please contact your helpdesk.

The following organisation rejected your message: SYDEXCH2013P01.sydney.ssw.com.au.

Diagnostic information for administrators:

Generating server: DB3FFO11HUB061.mail.protection.outlook.com

SYDEXCH2013P01.sydney.ssw.com.au #<SYDEXCH2013P01.sydney.ssw.com.au #5.1.1 smtp;550 5.1.1 User unknown> #SMTP#

Original message headers:

Received: from DB3FFO11FD042.protection.gbl ( by
 DB3FFO11HUB061.protection.gbl ( with Microsoft SMTP Server (TLS)
 id 15.0.868.13; Tue, 18 Feb 2014 05:53:55 +0000
Received: from localhost ( by
 DB3FFO11FD042.mail.protection.outlook.com ( with Microsoft SMTP
 Server id 15.0.868.13 via Frontend Transport; Tue, 18 Feb 2014 05:53:54 +0000
From: The Amazon Reminder <our.user@ourdomain.co.uk>
Date: Tue, 18 Feb 2014 05:53:54 +0000
To: "girlfritendwill@ssw.com.au" <girlfritendwill@ssw.com.au>
Subject: Caution, You have delayed email on Amazon
X-Priority: 1
Message-ID: <a97c.7b129ec84b3@ourdomain.co.uk>
MIME-Version: 1.0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Return-Path: our.user@ourdomain.co.uk
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:;CTRY:GB;IPV:NLI;EFV:NLI;SFV:SPM;SFS:(6019001)(6069001)(189002)(199002)(31966008)(77096001)(76786001)(85852003)(47736001)(74482001)(87836001)(59766001)(54316002)(36756003)(77982001)(47446002)(33646001)(15975445006)(76796001)(56776001)(79102001)(83072002)(76482001)(87266001)(85306002)(56816005)(81816001)(74366001)(90146001)(50466002)(80022001)(65816001)(69226001)(57986002)(94316002)(74662001)(74876001)(74706001)(93136001)(74502001)(92726001)(4396001)(558084003)(15202345003)(92566001)(16799955002)(20776003)(95666001)(44976005)(83322001)(23676002)(95416001)(23846002)(15188155005)(51856001)(53806001)(80976001)(76176001)(50986001)(94946001)(47976001)(81342001)(25786004)(19580395003)(76506004)(63696002)(46102001)(86362001)(93516002)(49866001)(81542001)(54356001)(6896010);DIR:INB;SFP:;SCL:5;SRVR:DB3FFO11HUB061;H:localhost;CLIP:;FPR:AED7DDE7.5CB3D7CD.9053F5B0.EAD5ACDA.20045;MLV:sfv;InfoDomainNonexistentMX:1;A:1;LANG:en;
Received-SPF: None (: ourdomain.co.uk does not designate permitted sender
Question by:NELMO
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 97

Expert Comment

by:John Hurst
ID: 39867791
I saw something similar to that at a client. The explanation from the ISP / Email vendor was that the client's webmail email (not his computer) was compromised and "undeliverable messages" started.

The solution was to change the webmail password to a different and more secure password. That solved the issue.

I suspect the mail supposedly coming from him is from
A. an infected PC/account or
B. his email address has been harvested from someone's address book.

I suspect that both are possibilities. Scan for malware and change the email password right away.
LVL 62

Expert Comment

ID: 39868782
localhost usually is default hostname on fedora/redhat unless somebody sets meaningful name.
Ask the network owner ( a hosting company in Canada) what happened.

$ whois
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to ' -'

% Abuse contact for ' -' is 'abuse@peer1.com'

inetnum: -
netname:        EU-PER1
descr:          Peer 1 Network Enterprises Limited
country:        GB
org:            ORG-PNEL1-RIPE
admin-c:        NOC116-RIPE
tech-c:         NOC116-RIPE
status:         ASSIGNED PA
mnt-by:         PNE-NETADMIN-MNT
mnt-lower:      PNE-NETADMIN-MNT
mnt-domains:    PNE-NETADMIN-MNT
mnt-routes:     PNE-NETADMIN-MNT
source:         RIPE # Filtered
remarks:        INFRA-AW

organisation:   ORG-PNEL1-RIPE
org-name:       Peer 1 Network Enterprises Limited
org-type:       LIR
address:        Peer 1 Network Inc. 1000-555 West Hastings Street V6B 4N5 Vancouver Canada
phone:          +16046837747
fax-no:         +16046834634
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        PNE-NETADMIN-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        PE1
source:         RIPE # Filtered

person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.71 (WHOIS3)

Author Comment

ID: 39870890
I have sent a query off to the RIPE abuse address, waiting for a reply.
However this is only one of the undeliverable messages that this user has received. The others come from various other networks (USA and India predominately).
This morning he received another batch of 20 Undeliverables!

I have checked his account through Exchange Manager and there is no record of emails being sent from his address so I am safe to assume the problem is not at this end.
What are the relevant parts of the header that I should look at to try and track where it is originating from (or is that possible).

He has quickly gone from "What is going on" to "JUST GET THIS SORTED"
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

LVL 62

Expert Comment

ID: 39870963
Probably some of his contacts got some outlook virus and sends mass mails in his name and he gets bounces. You can add some DNSBL checks to your incoming mailer but in general to stop it his friend must clean the viruses.
Examnie carefully all headers of original mails included in bounce messages.
Dont send anything to RIPE, they dont spam anybody, they just issue IP addresses in europe.
This is IP owner:
person:         Peer 1 Support
address:        Suite 1000 - 555 West Hastings St.
address:        Vancouver
address:        British Columbia
address:        Canada
phone:          +6044842588
nic-hdl:        NOC116-RIPE
mnt-by:         PNE-NETADMIN-MNT
source:         RIPE # Filtered
LVL 62

Expert Comment

ID: 39871374
Actually your message misses headers (they dont tell where YOU received it from) and outlook.com headers seem fake.

Author Comment

ID: 39873317
I now have another user getting the same (although not as many - yet) undeliverable mail messages.
They are being returned from a variety of sources - a university in Boston USA, a Web Designer from Australia and a Technology Company in India!

I looked into DNSBL (very interesting). Got to the dnsbl-check site and ran a check on our mail server. We got the 'all clear' as I expected. I could block the IP addresses of where the 'undeliverables' come from, but that would be no good, it is legitimate mailservers answering wrong addressees.

The two users both have hundreds of contacts (many that would overlap), it would be impossible to find out which one is infected , as I am sure one or more of them are.

For now I am getting them just to delete the messages and hope their occurance slows down.

For now I am stumped!!
LVL 62

Accepted Solution

gheist earned 1500 total points
ID: 39873437
You can dig something from headers
I just checkedL
the only address you shares sends spam backscatter (the one your bosses are getting), so you can block bounces (i.e empty MAIL FROM) from backscatter IPs (easy to say, probably hard to implement on your mailer even it supports DNSBL, good luck)
4xx will also make their problems noticeable to them by filling their mail queues.

Normally nowadays mail server is expected to reject wrong mail in SMTP session as well as possible, and not queue mail for unknown users and then send mail bounce message.

Author Closing Comment

ID: 39909000
Spam is still just something we all have to live with, but your links to the dnsbl sites have given me some more tools for finding information to give to my users.


LVL 62

Expert Comment

ID: 39909800
You can implement DNSBL checks and prevent most prevalent classes of SPAM
User sends you spam mail (as attachment so you see the headers)
You dig originating IP
You find the easiest way to block class of spam (dnsbl...)
And tell user to tell you if they get more spam...

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question