We help IT Professionals succeed at work.

Suspcious Exchange Forward

Hello experts,

I have a very strange issue with Exchange 2007 and I need some help. We are always fighting SPAM and malicious emails, and most issues with them are straight forward. However, we have been getting emails to a non-existent user, gsewsrsr, and then it is forwarded to a brand new user jdoe. I see the email come through the barracuda, to gsewsrsr@ourdoamin.com, get "Allowed" and then forwarded to the inbox of jdoe@mydomain.com. I have checked throughout exchange and there is no reference to gsewsrsr anywhere in distro lists, mailboxes, alias, ect. I am worried this is some sort of Exchange infection, as I cannot figure out why (A) the email to gsewsrsr is being accepted by our domain and (B) why it is being forwarded to jdoe (who by the way is a brand new user).

Exchange version is 2007 SP3, running on Server 2003 R2 64-bit.
Thanks!
Comment
Watch Question

Commented:
in email servers there is an account called Catch All Account, that whatever email address not found on the servers but belongs to the authoritative domains well be sent to that user
Most Valuable Expert 2014
Commented:
Exchange doesn't have a catch all by default, and setting one up isn't straight forward.
The first question to ask is are you doing recipient filtering on your appliance? If not, why not? Recipient filtering should always be the first thing that is done, so you drop email for non-valid recipients.

Second thing to be aware of is that spam is spoofed. Everything about spam cannot be depended on. They use all sorts of tricks, the main one being the BCC field to hide the true recipient list. As such it could be that the actual sender is BCC.

Simon.
sarasotamacIT Manager

Author

Commented:
Good point on the BBC. I missed that..
sarasotamacIT Manager

Author

Commented:
I'm looking now on the Barracuda to be sure recipient filtering is turned on.

Commented:
I don't think it is a BCC
jdoe (who by the way is a brand new user)
sarasotamacIT Manager

Author

Commented:
FarWest, what do you think then, catch all?

Commented:
based on your story about the problem highly suspect this is the issue "Catch All"
please validate this as part of your validation as will
sarasotamacIT Manager

Author

Commented:
So in the article you linked to above, I see the command >get-transportagent | fl listed. I ran it, what exactly am I looking for?
Commented:
please note if your new user is really jdoe@xxx and your email system established long time ago please verify that this name was not used before for a  system admin or similar position,

Commented:
did you see any catchall as agent name
could you send a screenshot of the output,
btw: are you using any external email relay service?
sarasotamacIT Manager

Author

Commented:
[PS] C:\Documents and Settings\administrator.DC>get-transportagent | fl


Identity              : Transport Rule Agent
Enabled               : True
Priority              : 1
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.TransportRuleAgent
                        .TransportRuleAgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\Rule\Microsoft.Exchange.MessagingPolicies.Tra
                        nsportRuleAgent.dll

Identity              : Journaling Agent
Enabled               : True
Priority              : 2
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.Journaling.Journal
                        AgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\Journaling\Microsoft.Exchange.MessagingPolici
                        es.JournalAgent.dll

Identity              : AD RMS Prelicensing Agent
Enabled               : False
Priority              : 3
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.RmSvcAgent.Prelice
                        nseAgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\RmSvc\Microsoft.Exchange.MessagingPolicies.Rm
                        SvcAgent.dll
Commented:
nothing abnormal or catchall in transport agents
sarasotamacIT Manager

Author

Commented:
awesome, good to know.
sarasotamacIT Manager

Author

Commented:
so i checked with our HR  and there wasn't a jdoe but there was bdoe previously (different first initial, same last name). Do see a lot of spam trying combinations of usernames, so I guess there is a possibility it's related.

So no way to actually see the BBC data?
Neil RussellTechnical Development Lead
Commented:
Have you examined the Email Headers to see exactly who the email was sent to? Just because it says one thing does not mean that that is the only person it was sent to.
Neil RussellTechnical Development Lead

Commented:
Could you explain what you have used as the solution as your 4 choices do not lend to a single solution.
sarasotamacIT Manager

Author

Commented:
I made a silly mistake and the gsewsrsr@ourdoamin.com was actually tied to a distro list within Exchange. I gave each person who participated credit since there was no provided solution, however I thought each of the accepted solutions were helpful.

Thanks, and excuse my mistake.