• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 177
  • Last Modified:

Suspcious Exchange Forward

Hello experts,

I have a very strange issue with Exchange 2007 and I need some help. We are always fighting SPAM and malicious emails, and most issues with them are straight forward. However, we have been getting emails to a non-existent user, gsewsrsr, and then it is forwarded to a brand new user jdoe. I see the email come through the barracuda, to gsewsrsr@ourdoamin.com, get "Allowed" and then forwarded to the inbox of jdoe@mydomain.com. I have checked throughout exchange and there is no reference to gsewsrsr anywhere in distro lists, mailboxes, alias, ect. I am worried this is some sort of Exchange infection, as I cannot figure out why (A) the email to gsewsrsr is being accepted by our domain and (B) why it is being forwarded to jdoe (who by the way is a brand new user).

Exchange version is 2007 SP3, running on Server 2003 R2 64-bit.
Thanks!
0
sarasotamac
Asked:
sarasotamac
  • 8
  • 7
  • 2
  • +1
4 Solutions
 
FarWestCommented:
in email servers there is an account called Catch All Account, that whatever email address not found on the servers but belongs to the authoritative domains well be sent to that user
0
 
Simon Butler (Sembee)ConsultantCommented:
Exchange doesn't have a catch all by default, and setting one up isn't straight forward.
The first question to ask is are you doing recipient filtering on your appliance? If not, why not? Recipient filtering should always be the first thing that is done, so you drop email for non-valid recipients.

Second thing to be aware of is that spam is spoofed. Everything about spam cannot be depended on. They use all sorts of tricks, the main one being the BCC field to hide the true recipient list. As such it could be that the actual sender is BCC.

Simon.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
sarasotamacIT ManagerAuthor Commented:
Good point on the BBC. I missed that..
0
 
sarasotamacIT ManagerAuthor Commented:
I'm looking now on the Barracuda to be sure recipient filtering is turned on.
0
 
FarWestCommented:
I don't think it is a BCC
jdoe (who by the way is a brand new user)
0
 
sarasotamacIT ManagerAuthor Commented:
FarWest, what do you think then, catch all?
0
 
FarWestCommented:
based on your story about the problem highly suspect this is the issue "Catch All"
please validate this as part of your validation as will
0
 
sarasotamacIT ManagerAuthor Commented:
So in the article you linked to above, I see the command >get-transportagent | fl listed. I ran it, what exactly am I looking for?
0
 
FarWestCommented:
please note if your new user is really jdoe@xxx and your email system established long time ago please verify that this name was not used before for a  system admin or similar position,
0
 
FarWestCommented:
did you see any catchall as agent name
could you send a screenshot of the output,
btw: are you using any external email relay service?
0
 
sarasotamacIT ManagerAuthor Commented:
[PS] C:\Documents and Settings\administrator.DC>get-transportagent | fl


Identity              : Transport Rule Agent
Enabled               : True
Priority              : 1
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.TransportRuleAgent
                        .TransportRuleAgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\Rule\Microsoft.Exchange.MessagingPolicies.Tra
                        nsportRuleAgent.dll

Identity              : Journaling Agent
Enabled               : True
Priority              : 2
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.Journaling.Journal
                        AgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\Journaling\Microsoft.Exchange.MessagingPolici
                        es.JournalAgent.dll

Identity              : AD RMS Prelicensing Agent
Enabled               : False
Priority              : 3
TransportAgentFactory : Microsoft.Exchange.MessagingPolicies.RmSvcAgent.Prelice
                        nseAgentFactory
AssemblyPath          : F:\Program Files\Microsoft\Exchange Server\TransportRol
                        es\agents\RmSvc\Microsoft.Exchange.MessagingPolicies.Rm
                        SvcAgent.dll
0
 
FarWestCommented:
nothing abnormal or catchall in transport agents
0
 
sarasotamacIT ManagerAuthor Commented:
awesome, good to know.
0
 
sarasotamacIT ManagerAuthor Commented:
so i checked with our HR  and there wasn't a jdoe but there was bdoe previously (different first initial, same last name). Do see a lot of spam trying combinations of usernames, so I guess there is a possibility it's related.

So no way to actually see the BBC data?
0
 
Neil RussellTechnical Development LeadCommented:
Have you examined the Email Headers to see exactly who the email was sent to? Just because it says one thing does not mean that that is the only person it was sent to.
0
 
Neil RussellTechnical Development LeadCommented:
Could you explain what you have used as the solution as your 4 choices do not lend to a single solution.
0
 
sarasotamacIT ManagerAuthor Commented:
I made a silly mistake and the gsewsrsr@ourdoamin.com was actually tied to a distro list within Exchange. I gave each person who participated credit since there was no provided solution, however I thought each of the accepted solutions were helpful.

Thanks, and excuse my mistake.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now