How to block incomming Delivery has failed messages for a specific user in exchange 2007

I have a user who's email address has been hijacked and is being used for spam.. it is not being sent using our system, but she keeps getting Undeliverable bounce backs (Delivery has failed messages).  I created a local rule to permanently delete the messages, but it is still causing issues on her Iphone.. they do delete after a while, but not quick enough.  I would like to use a transport rule to take care of the issue.. Every couple of weeks I will turn it off to see if they are no longer using her address..

I have setup several different rules, but none of them seem to work...
this includes
sent to = her account
subject contains or body contains =  "Delivery has failed" (a separate rule) or "Undeliverable"

There must be a way to set this up to stop these messages..
any help would be great.... thank you in advance experts
David ModugnoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jackson CreagerMicrosoft Exchange EngineerCommented:
Block at the Firewall,  Just block the user sending the email (email Address)
Or you can block it in exchange per the Exchange properties for the user that is getting the mail.  
Depends how you want to go about it.   The best I believe is at the Firewall that way it never hits the Exchange Server at all, and the user does not have to mess with it.

Another option I just thought of is to Change the Users email address, yes a pain and she will need to let the clients know on the outside, but that maybe the best way.   Just another option.
David ModugnoAuthor Commented:
thats the point... it looks like my user is sending the emails.... they are using her address to spam..
its not generating from her computer... if i look at the header I the originating server keeps changing..

so they spam people to the receiving mail server it was sent from (my users email)..
because its a mass spam... if they hit addresses that are not real (and they do)... my user gets a bounce back of undeliverable message....
Jackson CreagerMicrosoft Exchange EngineerCommented:
The only thing I could think of on that, would be to Just shut down the address,  Beyond that is all the control you have since like you stated it is not coming from you network or user.  There is no place to really report it stolen,  I know on our network I have put Domain Keys, and SPF's to help Keep that stuff from happening.  Its the burden of the Email Server/Network Receiving the email to verify that the email is valid by using the Standards set in place.  But the only way to help you would be to change her address and block anything coming in with that address or have it go to a Admin mailbox she can see what is real and not until she gets the news out there on her new mail address.

Hope this helps some.....  Bad Situation I have never seen in my years...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.