Suspcious Exchange Forward

Hello experts,

I have a very strange issue with Exchange 2007 and I need some help. We are always fighting SPAM and malicious emails, and most issues with them are straight forward. However, we have been getting emails to a non-existent user, gsewsrsr, and then it is forwarded to a brand new user jdoe. I see the email come through the barracuda, to gsewsrsr@ourdoamin.com, get "Allowed" and then forwarded to the inbox of jdoe@mydomain.com. I have checked throughout exchange and there is no reference to gsewsrsr anywhere in distro lists, mailboxes, alias, ect. I am worried this is some sort of Exchange infection, as I cannot figure out why (A) the email to gsewsrsr is being accepted by our domain and (B) why it is being forwarded to jdoe (who by the way is a brand new user).

Exchange version is 2007 SP3, running on Server 2003 R2 64-bit.
Thanks!
LVL 6
sarasotamacIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FarWestCommented:
in email servers there is an account called Catch All Account, that whatever email address not found on the servers but belongs to the authoritative domains well be sent to that user
0
Simon Butler (Sembee)ConsultantCommented:
Exchange doesn't have a catch all by default, and setting one up isn't straight forward.
The first question to ask is are you doing recipient filtering on your appliance? If not, why not? Recipient filtering should always be the first thing that is done, so you drop email for non-valid recipients.

Second thing to be aware of is that spam is spoofed. Everything about spam cannot be depended on. They use all sorts of tricks, the main one being the BCC field to hide the true recipient list. As such it could be that the actual sender is BCC.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

sarasotamacIT ManagerAuthor Commented:
Good point on the BBC. I missed that..
0
sarasotamacIT ManagerAuthor Commented:
I'm looking now on the Barracuda to be sure recipient filtering is turned on.
0
FarWestCommented:
I don't think it is a BCC
jdoe (who by the way is a brand new user)
0
sarasotamacIT ManagerAuthor Commented:
FarWest, what do you think then, catch all?
0
FarWestCommented:
based on your story about the problem highly suspect this is the issue "Catch All"
please validate this as part of your validation as will
0
sarasotamacIT ManagerAuthor Commented:
So in the article you linked to above, I see the command >get-transportagent | fl listed. I ran it, what exactly am I looking for?
0
FarWestCommented:
please note if your new user is really jdoe@xxx and your email system established long time ago please verify that this name was not used before for a  system admin or similar position,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FarWestCommented:
did you see any catchall as agent name
could you send a screenshot of the output,
btw: are you using any external email relay service?
0
sarasotamacIT ManagerAuthor Commented:
[PS] C:\Documents and Settings\administrator.DC>get-transportagent | fl


Identity              : Transport Rule Agent
Enabled               : True
Priority              : 1
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.TransportRuleAgent
                        .TransportRuleAgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\Rule\Microsoft.Exchange.MessagingPolicies.Tra
                        nsportRuleAgent.dll

Identity              : Journaling Agent
Enabled               : True
Priority              : 2
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.Journaling.Journal
                        AgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\Journaling\Microsoft.Exchange.MessagingPolici
                        es.JournalAgent.dll

Identity              : AD RMS Prelicensing Agent
Enabled               : False
Priority              : 3
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.RmSvcAgent.Prelice
                        nseAgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\RmSvc\Microsoft.Exchange.MessagingPolicies.Rm
                        SvcAgent.dll
0
FarWestCommented:
nothing abnormal or catchall in transport agents
0
sarasotamacIT ManagerAuthor Commented:
awesome, good to know.
0
sarasotamacIT ManagerAuthor Commented:
so i checked with our HR  and there wasn't a jdoe but there was bdoe previously (different first initial, same last name). Do see a lot of spam trying combinations of usernames, so I guess there is a possibility it's related.

So no way to actually see the BBC data?
0
Neil RussellTechnical Development LeadCommented:
Have you examined the Email Headers to see exactly who the email was sent to? Just because it says one thing does not mean that that is the only person it was sent to.
0
Neil RussellTechnical Development LeadCommented:
Could you explain what you have used as the solution as your 4 choices do not lend to a single solution.
0
sarasotamacIT ManagerAuthor Commented:
I made a silly mistake and the gsewsrsr@ourdoamin.com was actually tied to a distro list within Exchange. I gave each person who participated credit since there was no provided solution, however I thought each of the accepted solutions were helpful.

Thanks, and excuse my mistake.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.